I think they do the latter, but they may just be checking that the machine's assigned hostname is foo.division.companyname.com. Not the best approach, but it mitigates all but a highly focused attack. This meets our goal, which was to prevent worm infection. Mucking with a DNS server to the point of guessing what we are looking for is an unlikely attack.
This is why, when we were looking for PFW solutions, we settled on using the one built into XP SP2 and above.
Why?
Yeah, it'd be nice to stop the stupid user stuff with outbound attacks and such... but most of that threat is better mitigated through the use of malcode-analyzing proxies and other filtering systems (we quarantine email attachments, haven't had a 0-day in years, use centralized ad and malcode blocking for web browsers, etc).
The REAL threat that we could actually get benefit from using PFW software on was for inbound traffic (ie WORMS). We tested many PFW applications in our labs, and many of them were horrible (They didn't even begin blocking until the user logged in, they opened listening ports for their own management, etc). We found that the firewall bundled with XP SP2, however, is actually a very good product. It is up on boot, DROPS rather than rejects packets, is controllable via scripting, and has good logging. The problem, as always, is in allowing our staff to administer windoze clients remotely. This requires certain ports be opened.
The easiest tradeoff (and we remain worm-free) was to simply block all inbound ports unless the client is connected to a trusted corporate network (in which case we open them all up again). This is done through some Active Directory probing during initialization scripting and also on interface up/down changes. It works very well.
It's not perfect, nor is it the most uber-super secure solution (a user could theoretically bypass our default wireless configuration to bridge while connected to a trusted wired network since our windows AD guy doesn't know a way to dynamically block with the firewall per interface -- it's a risk covered by our security policies which we don't mind). But it does what we need it to do, provides adequate security, and does not disrupt business.
Here are the requirements that we had going into our testing, and the XP SP2 firewall did a very good job at addressing them:
If loaded with no policy, default policy is denay all inbound traffic
Firewall must be in place on system boot before the launch of any other network services, and prior to user login
When connected to untrusted network, policy is deny all inbound
When connected to trusted network, policy is allow all
When connected to trusted network via IPSec tunnel, policy is allow all
Must be centrally managed, integrated with existing management if possible
Must be easily mass deployable by desktop services staff
Must meet ICSA Labs PC Firewalls Certification Criteria
The concepts involved (port/protocol/subnet/hostname/client/server, etc) have not changed since I have been playing starting around 1994. Yes, it will change when IPV6 is adopted, but we ALL have some learning to do when that occurs.
It's already a problem. Ever try to run your own mail and web servers from home? It's ridiculous that I have to pay $80/month for a 'commercial class' line to do these things, as an individual where it's normally more like $20. Unfortunately, I'm not about to give up the flexibility that running my own servers affords me, so I have to pay it or move to a colo where I'll have less control and flexibility.
Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things. For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.
For a skilled user (which these aren't marketed to anyway), there is value in anlyzing what your software is trying to open outbound connections to, if you tell your PFW to alert you. In the hands of a skilled user, this is good information and the PFW is a good tool to analyze what software you may want to ditch or restrict. Again, this isn't the demographic most PFW vendors market to. You can't use a tool like this without a basic knowledge of how TCP/IP works. Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.
If you put your stuff in your checked baggage, many times it will break open due to the pressure changes. Nice mess you have then. Also, if the checked baggage doesn't arrive with you (that never happens, right), you have to then go to a store and buy more toiletries. And what about those of us who wear contacts? I have to fly to nashville this week for surgery. Am I going to be able to bring a bottle of saline in case I have problems with a lense?
Security theater, once again at its finest. Don't forget to take off your flip flops at the checkpoint and take your laptop out of the bag (while all other electronic equipment can stay) either.
I doubt these would ever get by my greylisting. If they did, they then have to get through the rudimentary checks (which most spam totally fails on), before finally being passed to spamassassin, where it will be properly classified and/dev/nulled.
Mimedefang has these things set up on my home server: Reject if in spamhaus block list (it's easy to get yourself off of that one) Reject if helo is not FQDN or IP address Reject if sender tries to spoof as an address on my domain Reject if sending SMTP server tries to issue a helo that is on my domain Reject all RFC1918 helos from untrusted nets Reject senders not in the lists they are trying to send to.
Between the mimedefang rules and the greylisting, spamassassin and my bayes filters rarely even have to process anything. This becomes very important as you scale a corporate system to 1000's of users.
At work we also parse the headers to see if we are getting idiotic 'bounces' from misconfigured antispam vendors replying to spoofed mail.
OS/2 Warp had speech recognition in 1994 with OS/2 Warp. Better yet, the OS/2 version of netscape at the time was speech enabled (browse simply by speaking the link). Even cooler was that the netscape developers actually listened to the OS/2 community with that version (I remember them implementing something that I had asked for...very cool). Keep in mind that the average system of that time was a pentium 133 with 100MB of ram.
And here we are at 2006, With GHz processors and GBytes of RAM dirt cheap, and M$ is just now starting to experiment with this? By now this technology should be damned near perfectly integrated across the board!
Thanks for abusing your monopoly power to destroy all of the competition and REAL innovation, Microsoft!
Make it so that only stuff installed via firefox itself will run? Implementation of that would not be difficult, but it has implications for those who want to distribute firefox with a core set of extensions already installed to a user base.
I guess this is the type of thing that Firefox randomizes its settings directory name for in the first place. Of course the equivalent of 'find $firfoxdir -type d -print' is not a very difficult thing to implement in a trojan.
This is why we have implemented a mail quarantine here where I work. If a luser 'needs' an executable released early, they have to call the help desk and sign off that they know who the sender is and that they were expecting it.
AV will always be broken. There are better ways than signatures. The problem is with human nature. We'd rather take a pill to relieve a headache than avoid the things that give us that headache in the first place.
Where I work, you just need to be on a bicycle. I even got waved through the guard shack on a day that our governor was on site and security was being more strict. I know it's not because they know me, because I normally drive.
I'm sure that if there is a bomb that is nearby configured to go off when the proper RFID signal is detected, said bomb can certainly send out the RF needed to light up the RFID tag.
Well, Netscape was also guilty of 'ruining' the web too. It was netscape that first began using nonstandard (to the published w3c specs of the day) HTML. Much of it was good, and did become standardized, but it also caused breakage with nice browsers like OS/2's webex.
...but which 'P' did they use? Did they use mod_perl or mod_python, or just call things as straight CGI scripts? That would certainly kill performance. Did they preload often-used subroutines into the embedded apache stuff?
I've found that some of the most intelligent people I know are endurance athletes. Doesn't it make sense that if you are healthy you function better as a whole, including your mind? Personally I am an expert class XC mountain bike racer, and not too bad on a snowboard. I have also been a runner in the past (that's now out after breaking my ankle twice), skydiver, and adventure racer. I've met a lot of self-described 'nerds' who didn't impress me as being all that intelligent. Most of the athletes I have met I do find to be quite intelligent, however. Especially with mountain bikes where you have to be very self-sufficient with repairs.
For geek cred: My degree is in aerospace engineering, I have contributed to a few open source projects, run a couple on freshmeat, and run my own mailing lists and such for my cycling team. The servers are probably a better anti-spam solution than what you would pay for from postini and the like. During the day, I'm a network security analyst at a rather large global company. I also attend blackhat and defcon every year.
There are smart and dumb people out there with all types of personalities. People may think that athletes are dumb, but my personal experience has been quite the opposite. It's sad that people who think they are so intelligent (and usually aren't) allow themselves to become so ridiculously out of shape that simply walking a mile or two is a significant effort.
Terrorists don't trust the evil westerners and their technology. If they were to use online communication, it surely would be encrypted. I find it hard to believe that the FBI thwarted anything via jumping on a public chat room.
Slashdot Mirror
I think they do the latter, but they may just be checking that the machine's assigned hostname is foo.division.companyname.com. Not the best approach, but it mitigates all but a highly focused attack. This meets our goal, which was to prevent worm infection. Mucking with a DNS server to the point of guessing what we are looking for is an unlikely attack.
Why?
Yeah, it'd be nice to stop the stupid user stuff with outbound attacks and such... but most of that threat is better mitigated through the use of malcode-analyzing proxies and other filtering systems (we quarantine email attachments, haven't had a 0-day in years, use centralized ad and malcode blocking for web browsers, etc).
The REAL threat that we could actually get benefit from using PFW software on was for inbound traffic (ie WORMS). We tested many PFW applications in our labs, and many of them were horrible (They didn't even begin blocking until the user logged in, they opened listening ports for their own management, etc). We found that the firewall bundled with XP SP2, however, is actually a very good product. It is up on boot, DROPS rather than rejects packets, is controllable via scripting, and has good logging. The problem, as always, is in allowing our staff to administer windoze clients remotely. This requires certain ports be opened.
The easiest tradeoff (and we remain worm-free) was to simply block all inbound ports unless the client is connected to a trusted corporate network (in which case we open them all up again). This is done through some Active Directory probing during initialization scripting and also on interface up/down changes. It works very well.
It's not perfect, nor is it the most uber-super secure solution (a user could theoretically bypass our default wireless configuration to bridge while connected to a trusted wired network since our windows AD guy doesn't know a way to dynamically block with the firewall per interface -- it's a risk covered by our security policies which we don't mind). But it does what we need it to do, provides adequate security, and does not disrupt business.
Here are the requirements that we had going into our testing, and the XP SP2 firewall did a very good job at addressing them:
The concepts involved (port/protocol/subnet/hostname/client/server, etc) have not changed since I have been playing starting around 1994. Yes, it will change when IPV6 is adopted, but we ALL have some learning to do when that occurs.
It's already a problem. Ever try to run your own mail and web servers from home? It's ridiculous that I have to pay $80/month for a 'commercial class' line to do these things, as an individual where it's normally more like $20. Unfortunately, I'm not about to give up the flexibility that running my own servers affords me, so I have to pay it or move to a colo where I'll have less control and flexibility.
Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things. For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.
For a skilled user (which these aren't marketed to anyway), there is value in anlyzing what your software is trying to open outbound connections to, if you tell your PFW to alert you. In the hands of a skilled user, this is good information and the PFW is a good tool to analyze what software you may want to ditch or restrict. Again, this isn't the demographic most PFW vendors market to. You can't use a tool like this without a basic knowledge of how TCP/IP works. Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.
If you put your stuff in your checked baggage, many times it will break open due to the pressure changes. Nice mess you have then. Also, if the checked baggage doesn't arrive with you (that never happens, right), you have to then go to a store and buy more toiletries. And what about those of us who wear contacts? I have to fly to nashville this week for surgery. Am I going to be able to bring a bottle of saline in case I have problems with a lense? Security theater, once again at its finest. Don't forget to take off your flip flops at the checkpoint and take your laptop out of the bag (while all other electronic equipment can stay) either.
Contextual right-click menus were stolen by M$ from OS/2. And they never did implement the object model consistently, even today.
I doubt these would ever get by my greylisting. If they did, they then have to get through the rudimentary checks (which most spam totally fails on), before finally being passed to spamassassin, where it will be properly classified and /dev/nulled.
Mimedefang has these things set up on my home server:
Reject if in spamhaus block list (it's easy to get yourself off of that one)
Reject if helo is not FQDN or IP address
Reject if sender tries to spoof as an address on my domain
Reject if sending SMTP server tries to issue a helo that is on my domain
Reject all RFC1918 helos from untrusted nets
Reject senders not in the lists they are trying to send to.
Between the mimedefang rules and the greylisting, spamassassin and my bayes filters rarely even have to process anything. This becomes very important as you scale a corporate system to 1000's of users.
At work we also parse the headers to see if we are getting idiotic 'bounces' from misconfigured antispam vendors replying to spoofed mail.
We also implement SPF records.
OS/2 Warp had speech recognition in 1994 with OS/2 Warp. Better yet, the OS/2 version of netscape at the time was speech enabled (browse simply by speaking the link). Even cooler was that the netscape developers actually listened to the OS/2 community with that version (I remember them implementing something that I had asked for...very cool). Keep in mind that the average system of that time was a pentium 133 with 100MB of ram. And here we are at 2006, With GHz processors and GBytes of RAM dirt cheap, and M$ is just now starting to experiment with this? By now this technology should be damned near perfectly integrated across the board! Thanks for abusing your monopoly power to destroy all of the competition and REAL innovation, Microsoft!
Well, the cable company better stop scrambling the pay channels coming in on my analog cable line then, hadn't they?
Make it so that only stuff installed via firefox itself will run? Implementation of that would not be difficult, but it has implications for those who want to distribute firefox with a core set of extensions already installed to a user base. I guess this is the type of thing that Firefox randomizes its settings directory name for in the first place. Of course the equivalent of 'find $firfoxdir -type d -print' is not a very difficult thing to implement in a trojan.
This is why we have implemented a mail quarantine here where I work. If a luser 'needs' an executable released early, they have to call the help desk and sign off that they know who the sender is and that they were expecting it.
AV will always be broken. There are better ways than signatures. The problem is with human nature. We'd rather take a pill to relieve a headache than avoid the things that give us that headache in the first place.
Where I work, you just need to be on a bicycle. I even got waved through the guard shack on a day that our governor was on site and security was being more strict. I know it's not because they know me, because I normally drive.
I bet somebody could create the history page with a firefox extension, if they had the time.
or... Use barcodes or mag strips instead. RFID has no good use in these, other than to compromise your security and even endanger your life.
I'm sure that if there is a bomb that is nearby configured to go off when the proper RFID signal is detected, said bomb can certainly send out the RF needed to light up the RFID tag.
ok, how about an unattended claymore that is configured to go off when it sees the RFID? Didn't think of that, did ya!
Well, Netscape was also guilty of 'ruining' the web too. It was netscape that first began using nonstandard (to the published w3c specs of the day) HTML. Much of it was good, and did become standardized, but it also caused breakage with nice browsers like OS/2's webex.
...but which 'P' did they use? Did they use mod_perl or mod_python, or just call things as straight CGI scripts? That would certainly kill performance. Did they preload often-used subroutines into the embedded apache stuff?
You obviously have never had the pleasure of dealing with their idiotic mail system as a mail admin.
I've found that some of the most intelligent people I know are endurance athletes. Doesn't it make sense that if you are healthy you function better as a whole, including your mind? Personally I am an expert class XC mountain bike racer, and not too bad on a snowboard. I have also been a runner in the past (that's now out after breaking my ankle twice), skydiver, and adventure racer. I've met a lot of self-described 'nerds' who didn't impress me as being all that intelligent. Most of the athletes I have met I do find to be quite intelligent, however. Especially with mountain bikes where you have to be very self-sufficient with repairs.
For geek cred: My degree is in aerospace engineering, I have contributed to a few open source projects, run a couple on freshmeat, and run my own mailing lists and such for my cycling team. The servers are probably a better anti-spam solution than what you would pay for from postini and the like. During the day, I'm a network security analyst at a rather large global company. I also attend blackhat and defcon every year.
There are smart and dumb people out there with all types of personalities. People may think that athletes are dumb, but my personal experience has been quite the opposite. It's sad that people who think they are so intelligent (and usually aren't) allow themselves to become so ridiculously out of shape that simply walking a mile or two is a significant effort.
Terrorists don't trust the evil westerners and their technology. If they were to use online communication, it surely would be encrypted. I find it hard to believe that the FBI thwarted anything via jumping on a public chat room.
I just wish OO.o 2 would open my OO.o 1 files. I had to uninstall and then reinstall the older version. I expect this from M$, but from Open Office?
Cell phone = TCP
Radio = UDP
They are different. Does it make a difference in distraction? Dunno. That study was not done.