You will find a useful comparison of Linux-based options in Building Linux VPNs by Oleg Kolesnikov and Brian Hatch.
They include SSH, SSL, IPSec, and other approaches, and don't waste time explaining TCP/IP.
Helevius
Books for Security Analysts, listed by Tier
on
General IT Books?
·
· Score: 1
Hello,
These lists by Richard Bejtlich provide reading suggestions based on your knowledge level and current responsibilities. The reviewer breaks down the material into three tiers. Tier one is entry level. Tier two is 1-2 years' experience. Tier three is 3 or more years' experience.
Following the recommendations is nearly equivalent to a four year independent study program in digital security.
"At the start of 2002 I resolved to stop reading and reviewing books on familiar topics. I will no longer try to review every security book which hits the shelves. If a new book does not offer original content, I will not read and review it. My recommended reading lists will reflect my opinion of the authoritative books on each subject relevant to the digital security profession."
nc -v -v ecotone.toad.com 25 ecotone.toad.com [216.240.42.33] 25 (smtp) open 220 ecotone.toad.com ESMTP Sendmail 8.8.7/8.8.7; Thu, 7 Mar 2002 10:09:26 -0800 HELO test 250 ecotone.toad.com Hello xx-myhostname-xx [xx-myipaddress-xx], pleased to meet you MAIL FROM:test@test.com 250 test@test.com... Sender ok RCPT TO:test@test.org 551 test@test.org... we do not relay quit 221 ecotone.toad.com closing connection
sent 61, rcvd 283
I entered the US Air Force Academy in 1990 to become an astronautical engineer. I graduated in 1994 with degrees in history and political science, with minors in French and German. The Air Force trained me as an intelligence officer, but 2 1/2 years in the Air Force CERT opened the door to computer security. As a civilian at a managed security services company, I provide tier three analysis and train tier one and two personnel. I feel I've found my true calling, but you never know when another career opportunity may appear.
The only common thread through these last twelve years has been a good attitude and a commitment to learn. I look for those qualities in everyone I hire. My staff includes ex-grade school teachers and philosophy majors, and all are doing well!
If Lucas were a genius, he would auction the right to decide Jar Jar Bink's future in the next or third Star Wars movie. He could bring in a lot of money by guaranteeing the high bidder's way to eliminate Jar Jar would appear on screen. Perhaps an AT-AT would step on him, or he could be rolled over by a sandcrawler? (Yeah, those are tame.)
Although any incremental improvement in security is beneficial, true network security monitoring requires a real commitment of trained manpower, customized applications, and rational processes. Unless you're willing to devote all of your time, and the time of a motivated and quick-learning staff, don't bother with IDS. Network security monitoring is much more involved than firewall deployment or router ACL configuration, for example.
If you've only got the time, energy, inclination, or budget to do the job halfway, you'll get more productive results monitoring your firewall, router, and application logs.
If you really feel you want network security monitoring, but can't commit to it, I recommend a competent managed security services provider. Unfortunately, I'm not comfortable with any of the offerings besides that of my employer. Sure, it sounds like a shameless plug, but if other MSSPs care to explain how they do business, I'll have good words for them. Until then, I know my shop does good network security monitoring work. Of the few competitors whose operations I understand, none inspire confidence.
If you think I only rip on other MSSPs, I can heartily recommend Digital Defense for doing top-notch vulnerability assessments (but that's not IDS, unfortunately).
Helevius
The false positive myth, & escalation vs detec
on
Future Of IDS
·
· Score: 2, Informative
I've been doing enterprise network security monitoring for over three years, in military and commercial sectors.
First, most IDS users focus on eliminating "false positives." This mindset, and especially ISS' goal of "zero false positives," is misguided.
I treat every IDS event as an "indicator," in the military intel idea of "indications and warnings." If I tell my IDS to find "X", and it reports "X", is that a false positive if "X" doesn't mean compromise? No, it's my responsibility to evaluate that indication by performing correlation and looking at the bigger picture.
Second, most IDS developers seem to focus on the detection aspect, i.e., can we detect at gigabit speeds? Can we detect Unicode-encoded attacks? This is necessary but not sufficient to perform network security monitoring.
IDS vendors need to understand that ESCALATION is the goal, not just detection. If the IDS doesn't provide enough supporting data to help me make a judgement without physically inspecting the target, why bother alerting at all? Why flash the red alert light if I must call the customer or do computer forensics to find out if the box is hacked?
Expect more rants in the form of a book (hopefully) late next year or sometime in '03.
The article also mentions Marcus Sachs will help the White House. I worked with him when I was in the Air Force. Marcus appeared to be the most clueful person working at the Joint Task Force for Computer Network Defense. (That's what it was called when I was still in uniform, before it became the JTF-CNO.) Marcus has been teaching "Security Essentials" for SANS for the last several months. I believe he planned to retire from the Army any time now, so he must be happy to have a follow-on job ready. He's no Microsoft guy either, from what I remember!
I separated from the Air Force this spring as a captain with almost 7 years of service, preceeded by 4 years of service academy time.
Almost every uniformed person I can possibly imagine undergoes some sort of basic training. All Air Force enlistees pass through six weeks of basic training at Lackland AFB. Officers either attend the AF Academy, a college ROTC program, or Officer Training School. Doctors and lawyers are treated somewhat differently when rank is concerned, but they still undergo basic training.
Of the services, the Marines and Army consider themselves Marines or soldiers first, and "IT professionals" (if there is such a thing in the services) second. The Air Force and Navy identify with their specialty first (pilot, submariner, whatever) and their status as airmen and sailors second. It's purely cultural.
So, if you're either an Army or Marine grunt, you'll be well acquainted with your weapon (rifle). In the Air Force or Navy, it's less likely.
Can anyone recommend a NIC with a decent range to conduct war driving? I'm looking at the vulnerability assessment angle here. Ideally I'd like a NIC supported by Linux and Windows 2000. AirSnort, supports only a handful of cards (AirSnort uses the Prism2 chipset). No card listed seems to win praise for its range, based on user reviews I've read. Can anyone comment on this?
When I was a college student I played Civ like a maniac. One of my friends thought playing games like that was stupid and tormented me relentlessly. Finally I decided to exact revenge. I dared my friend to try playing Civ. Since the game was ruining my grades, I uninstalled it one afternoon and gave it to my friend.
The next morning I wandered over to my friend's room -- no response to a knock on the door. I walked in and found him asleep, slumped over his keyboard, Civ running on his screen. Ha!
I hardly had any positive experiences with "group projects," from gradeschool through my master's program. In almost every case weaker group members sought to "free ride" on the talents of the stronger group members. This tendency increased with group size.
The most extreme example involved a class of twenty doing an engineering project senior year in college. When the rubber met the road, only five of us truly cared enough to finish the project. We received A's for our efforts and the rest of the class received B's and C's. Who's smarter?
On the positive side, working in pairs or groups of three (maximum) seemed to work out. It's not easy to be a free rider when there's only one or two other people to leech!
Helevius
Re:Canadian Editorial -- from 1973!
on
More WTC News
·
· Score: 2, Informative
From that page: "On June 5 1973, Canadian radio commentator Gordon Sinclair decided he'd had enough of the stream of criticism and negative press recently directed at the United States of America by foreign journalists (primarily over America's long military involvement in Vietnam, which had ended with the signing of the Paris Peace Accords six months earlier). When he arrived at radio station CFRB in Toronto that morning, he spent twenty minutes dashing off a two-page editorial defending the USA against its carping critics which he then delivered in a defiant, indignant tone during his "Let's Be Personal" spot at 11:45 AM that day."
If the Islamic world had so much to offer the West, why didn't we see an Islamic Renaissance prior to the European Renaissance? Or do you believe knowledge can be "stolen," as some think?
I don't deny other cultures made contributions to science, etc. We all generally stand on the shoulders of giants. I still give props to the Europeans for making the best use of the knowledge they built upon and developed themselves.
Oh well. I'm sure the Islamic world would have eventually invented the Internet, if Al Gore hadn't beaten them to it.
I agree the sys admin matters, but it's not as simple as that. Try reading Securing Windows NT/2000 Servers by Stefan Norberg. To securely admin a Windows NT/2000 box, Stefan advocates ripping most of its guts out (NetBIOS, Workstation and Server services, etc.)
NT's standard remote admin tools, like Event Viewer and Server Manager, require RPC using NetBIOS, which is difficult if not impossible to secure.
UNIX may have its problems, but secure remote administration using native tools is not one of them.
Personally, I'm partial to the IBM Thinkpad a20p. Sound and DVD works, X at 1400x1050 works, suspend to disk works, etc., under Red Hat 7.1
Why not check laptop ratings at the Linux Hardware Database? For the most comprehensive resource I've found, visit Linux on Laptops. Individual laptops aren't rated, but you'll learn if anyone's had success with the hardware you hope to use.
Population figures must take into account live as well as dead people. A rough but "semi-scientific" estimate by the Population Reference Bureau says about 105 billion people were born since 50,000 BC. So, every billion people killed by "attitudes" equals 1 percent or so. Unless you think "billions" must equal 10 - 20 billion to qualify, you're probably off.
Still, the original comment is outrageous. Consider a horrible century like the 20th. Somewhere around 200 million people died due to war. I sincerely doubt the war figures from previous centuries would double that figure, leaving us well short of even a single billion!
1. Several personalities in the network security/IDS community made a living convincing newbie security folks that testing round trip times and load balancing software were signs of malicious activity. They raised the paranoia level so high that "odd" packets freak out the newbies. And, when you're just starting, almost EVERYTHING looks different than Richard Stevens said it would. I've been doing hands-on IDS for almost three years, and I probably see something new every day.
2. IDS vendors compete partly on the number of signatures they "detect." Ident connections, although almost always benign, are reported to pad detection statistics (just like anti-virus technology).
Personally, I'd set up a spam filter that auto-replies to the emails you're receiving.
Helevius
FreeBSD + Broadband != Need for DVD Distro
on
FreeBSD on DVD
·
· Score: 3
While I won't argue strongly against pro-FreeBSD developments, I don't think FreeBSD and DVDs make a lot of sense. I like to install the base OS, then immediately update the ports tree with the latest and greatest via cable modem.
I don't see the point of dropping a lot of soon-to-be-dated software on a whopping DVD-ROM, when broadband offers access to the latest and greatest. I'm a big fan of the ports system, since it will go to the Internet to resolve dependencies while compiling a new app. I installed the entire Gnome 1.4 distro from scratch this way.
The nmap-hackers list featured a thread last year on building an nmap port for Windows. Reading the posts, it seems there are ways around the pre-Windows 2000 Microsoft TCP/IP stack to spoof packets. The Windows NT rootkit at www.rootkit.com (including the RogueX scanner) is mentioned as having the necessary code to generate spoofed packets.
Slashdot Mirror
They include SSH, SSL, IPSec, and other approaches, and don't waste time explaining TCP/IP.
Helevius
These lists by Richard Bejtlich provide reading suggestions based on your knowledge level and current responsibilities. The reviewer breaks down the material into three tiers. Tier one is entry level. Tier two is 1-2 years' experience. Tier three is 3 or more years' experience.
Following the recommendations is nearly equivalent to a four year independent study program in digital security.
Recommended Security Reading
If you want to see all reviews (over 70 security books from the last three years), check here:
All Reviews
According to Richard's web site:
"At the start of 2002 I resolved to stop reading and reviewing books on familiar topics. I will no longer try to review every security book which hits the shelves. If a new book does not offer original content, I will not read and review it. My recommended reading lists will reflect my opinion of the authoritative books on each subject relevant to the digital security profession."
Enjoy,
Helevius
I'm waiting for the BSD version:
/usr/ports/security/rootkit
cd
make && make install
Got it -- toad.com is 140.174.2.1, although I tested ecotone.toad.com.
Helevius
Is this still an issue?
---
host -t mx toad.com
toad.com mail is handled (pri=100) by old.toad.com
toad.com mail is handled (pri=200) by ecotone.toad.com
nc -v -v old.toad.com 25
DNS fwd/rev mismatch: old.toad.com != toad.com
old.toad.com [140.174.2.1] 25 (smtp) : Connection refused
sent 0, rcvd 0
nc -v -v ecotone.toad.com 25
ecotone.toad.com [216.240.42.33] 25 (smtp) open
220 ecotone.toad.com ESMTP Sendmail 8.8.7/8.8.7; Thu, 7 Mar 2002 10:09:26 -0800
HELO test
250 ecotone.toad.com Hello xx-myhostname-xx [xx-myipaddress-xx], pleased to meet you
MAIL FROM:test@test.com
250 test@test.com... Sender ok
RCPT TO:test@test.org
551 test@test.org... we do not relay
quit
221 ecotone.toad.com closing connection
sent 61, rcvd 283
---
So, is the relay closed?
Helevius
The only common thread through these last twelve years has been a good attitude and a commitment to learn. I look for those qualities in everyone I hire. My staff includes ex-grade school teachers and philosophy majors, and all are doing well!
Helevius
Helevius
If you've only got the time, energy, inclination, or budget to do the job halfway, you'll get more productive results monitoring your firewall, router, and application logs.
If you really feel you want network security monitoring, but can't commit to it, I recommend a competent managed security services provider. Unfortunately, I'm not comfortable with any of the offerings besides that of my employer. Sure, it sounds like a shameless plug, but if other MSSPs care to explain how they do business, I'll have good words for them. Until then, I know my shop does good network security monitoring work. Of the few competitors whose operations I understand, none inspire confidence.
If you think I only rip on other MSSPs, I can heartily recommend Digital Defense for doing top-notch vulnerability assessments (but that's not IDS, unfortunately).
Helevius
First, most IDS users focus on eliminating "false positives." This mindset, and especially ISS' goal of "zero false positives," is misguided.
I treat every IDS event as an "indicator," in the military intel idea of "indications and warnings." If I tell my IDS to find "X", and it reports "X", is that a false positive if "X" doesn't mean compromise? No, it's my responsibility to evaluate that indication by performing correlation and looking at the bigger picture.
Second, most IDS developers seem to focus on the detection aspect, i.e., can we detect at gigabit speeds? Can we detect Unicode-encoded attacks? This is necessary but not sufficient to perform network security monitoring.
IDS vendors need to understand that ESCALATION is the goal, not just detection. If the IDS doesn't provide enough supporting data to help me make a judgement without physically inspecting the target, why bother alerting at all? Why flash the red alert light if I must call the customer or do computer forensics to find out if the box is hacked?
Expect more rants in the form of a book (hopefully) late next year or sometime in '03.
Helevius
Helevius
Almost every uniformed person I can possibly imagine undergoes some sort of basic training. All Air Force enlistees pass through six weeks of basic training at Lackland AFB. Officers either attend the AF Academy, a college ROTC program, or Officer Training School. Doctors and lawyers are treated somewhat differently when rank is concerned, but they still undergo basic training.
Of the services, the Marines and Army consider themselves Marines or soldiers first, and "IT professionals" (if there is such a thing in the services) second. The Air Force and Navy identify with their specialty first (pilot, submariner, whatever) and their status as airmen and sailors second. It's purely cultural.
So, if you're either an Army or Marine grunt, you'll be well acquainted with your weapon (rifle). In the Air Force or Navy, it's less likely.
Helevius
Helevius
What sort of anti-backup protection exists for CD-ROMs? Are corrupted sectors used, as was the case with magentic media?
Helevius
The next morning I wandered over to my friend's room -- no response to a knock on the door. I walked in and found him asleep, slumped over his keyboard, Civ running on his screen. Ha!
Helevius
The most extreme example involved a class of twenty doing an engineering project senior year in college. When the rubber met the road, only five of us truly cared enough to finish the project. We received A's for our efforts and the rest of the class received B's and C's. Who's smarter?
On the positive side, working in pairs or groups of three (maximum) seemed to work out. It's not easy to be a free rider when there's only one or two other people to leech!
Helevius
Sinclair Editorial
From that page: "On June 5 1973, Canadian radio commentator Gordon Sinclair decided he'd had enough of the stream of criticism and negative press recently directed at the United States of America by foreign journalists (primarily over America's long military involvement in Vietnam, which had ended with the signing of the Paris Peace Accords six months earlier). When he arrived at radio station CFRB in Toronto that morning, he spent twenty minutes dashing off a two-page editorial defending the USA against its carping critics which he then delivered in a defiant, indignant tone during his "Let's Be Personal" spot at 11:45 AM that day."
Helevius
I've been awaiting the arrival of FreeBSD Unleashed by Michael Urban and Brian Tiemann.
It's 1000 pages -- here's hoping they're useful!
Helevius
I don't deny other cultures made contributions to science, etc. We all generally stand on the shoulders of giants. I still give props to the Europeans for making the best use of the knowledge they built upon and developed themselves.
Oh well. I'm sure the Islamic world would have eventually invented the Internet, if Al Gore hadn't beaten them to it.
Helevius
PS: I have a degree in history. :)
NT's standard remote admin tools, like Event Viewer and Server Manager, require RPC using NetBIOS, which is difficult if not impossible to secure.
UNIX may have its problems, but secure remote administration using native tools is not one of them.
Helevius
"Riverdance-like moves": That's the funniest damn thing I've read all day. :)
Why not check laptop ratings at the Linux Hardware Database? For the most comprehensive resource I've found, visit Linux on Laptops. Individual laptops aren't rated, but you'll learn if anyone's had success with the hardware you hope to use.
Helevius
Still, the original comment is outrageous. Consider a horrible century like the 20th. Somewhere around 200 million people died due to war. I sincerely doubt the war figures from previous centuries would double that figure, leaving us well short of even a single billion!
Helevius
1. Several personalities in the network security/IDS community made a living convincing newbie security folks that testing round trip times and load balancing software were signs of malicious activity. They raised the paranoia level so high that "odd" packets freak out the newbies. And, when you're just starting, almost EVERYTHING looks different than Richard Stevens said it would. I've been doing hands-on IDS for almost three years, and I probably see something new every day.
2. IDS vendors compete partly on the number of signatures they "detect." Ident connections, although almost always benign, are reported to pad detection statistics (just like anti-virus technology).
Personally, I'd set up a spam filter that auto-replies to the emails you're receiving.
Helevius
I don't see the point of dropping a lot of soon-to-be-dated software on a whopping DVD-ROM, when broadband offers access to the latest and greatest. I'm a big fan of the ports system, since it will go to the Internet to resolve dependencies while compiling a new app. I installed the entire Gnome 1.4 distro from scratch this way.
Helevius
Helevius