Thursday, July 24, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Briefing: July 24th [Liquidmatrix Security Digest]

Posted: 24 Jul 2008 07:40 AM CDT

newspapera.jpg

Thursday and I’m finally getting back into the swing of things. The bug that was good enough to take up residence and wreck the place seems to have moved on for the most part. Sorry about the low volume.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. DNS Exploit in the Wild | Wired
  2. Facebook to help some programmers, punish others | Associated Press
  3. Is Web 2.0 Security’s Achilles Heel? | Tech NEws World
  4. Pwnie Awards celebrate best and worst of security | The Register
  5. How Secure Is Your Network? NIST Model Knows | Physorg
  6. Most Bank Sites Are Insecure | Information Week
  7. Hackers Attack Businesses, Blogs and Web 2.0 Sites | iStock Analyst
  8. Hong Kong urges tougher controls on patients’ data | Monsters and Critics
  9. Exposing Bush’s historic abuse of power | Salon

Tags: , , , ,

these tubes are quick [extern blog SensePost;]

Posted: 24 Jul 2008 04:57 AM CDT

Kaminsky's thunder has all but evaporated into a fine mist, and Ptacek has gone all silent. In the meantime, the MetaSploit crowd put their heads down and produced:

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

DNS poisoning for the masses.

(If anything ever deservered the tag 'infosec-soapies', this would be it!!!)

Metasploit Bailiwick DNS Exploit Adds Domains [RioSec]

Posted: 24 Jul 2008 01:13 AM CDT

Overnight the Metasploit DNS exploit module continues to evolve to more devistating effect.  Perhaps most importantly, a new module was introduced based on feedback from Cedric Blancher named Auxiliary::Spoof::Dns::BailiWickedDomain, which replaces the nameservers for a domain, allowing an attacker to redirect all traffic for the entire domain through them.  Showcasing the ease of use of the Metasploit Framework, this entire exploit is written in 330 lines, including comments!

read more

In the great NAC debate, Snyder KOs Stiennon in the first round! [StillSecure, After All These Years]

Posted: 24 Jul 2008 12:13 AM CDT

boxer Just got done reading the transcript of yesterdays great NAC debate between Joel Snyder and Richard Stiennon.  As I predicted Snyder scored a knockout early on and it was mostly over from that point on.  The knockout came earlier than I expected though, right off the first question.  Each combatant was asked to define NAC and that was when it happened.  Richard brought an EPAC (end point access control) to a NAC fight.  That was akin to him bringing a rubber knife to a gun fight.  A quick bullet between the eyes by Snyder and it was almost painlessly over for Richard.

I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control.  It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model.  NAC is just another layer in that model.  Richard's comments deriding the .edu and .mil markets were also laughable.  Richard, have you ever heard the term military grade?  Are you seriously trying to say that enterprises take security more seriously than the military does?  Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard.  He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change.  Except, I don't think Richard will be in anymore of these bouts.  Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

When your flight is DOA [StillSecure, After All These Years]

Posted: 24 Jul 2008 12:04 AM CDT

Last night I wrote about my first day of this weeks road trip and my hotel which doubled as a funeral parlor. Now it is Wed night and I am live blogging from the runway of DC Regan-National airport, on board a Delta flight which has been on this same runway and not moved for the past 2 and a half hours. 

I say I am live blogging this, but of course you are not live reading this.  That is because I have no way to upload this to my server.  You see the iPhone 3G for all the coolness, has no Internet sharing that I am aware of. My old windows mobile phone had Internet sharing and if I still had that you would be reading this live right now.  But no, not with the iPhone. 

I was scheduled to connect in Cincinnati right about now.  I am obviously missing that connection.  I was flying from there to Columbus and driving about an hour and half from Columbus.  I have a 9am meeting tomorrow.  So unless I feel like renting a car and driving 4 hours whenever it is I land, I am pretty much missing my meeting tomorrow as well. 

What to do?  a). Should I break out of this plane, run to the terminal and try to get on a flight home to Florida  b). Go postal or c). Grin and bear it and try to remember that I love what I do and that is what flying in the summer is all about (actually that summer thing is full of beans, it is no better in winter with weather either!).

So here is the update, we sat on the runway for 4 hours!  Finally took off and landed in Cincinnati at midnight. I had no connection.  Could not get a flight out in the morning, not rent a car and most hotels sold out. I am writing this from the coffee shop of the lovely (and I do mean lovely) Drawbridge Inn. I will miss my meeting in the morning and am booked on a flight home tomorrow.  Ah, the life of a road warrior!

Links for 2008-07-23 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 24 Jul 2008 12:00 AM CDT

We should all be this bad - Microsoft is dead, long live Microsoft! [StillSecure, After All These Years]

Posted: 23 Jul 2008 11:57 PM CDT

I have written before about what a joke I think it is when people write that Microsoft's best days are behind it and that their corporate grave is already being dug.  Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure.  Don Dodge had a good article up the other day about Microsoft's recent end of FY numbers.  The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before!  They dropped 17.6 billion (again with a b) to the bottom line.  To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year.  Microsoft grew 9 billion in revenue last year.  That is they grew organically more than a whole Yahoo.  You can check out Don's article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down?  If you were a betting person, would you be betting against this monster?  I would not be.  Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.

Leveraging Client-Side Exploits In Your Pentests [Carnal0wnage Blog]

Posted: 23 Jul 2008 11:17 PM CDT

Wrapping up a pentest this week and got to do a little "user awareness training" with the current and unpatched ActiveX Control for Microsoft Access Snapshot Viewer exploit. Fsecure has a little writeup on it as well as securityfocus with POC code.

This one is nice because its a auto download exploit. You call the ActiveX control and it downloads the file you specify to the location you specify. This is a great exploit from a user training perspective because you can make the binary as benign or dangerous as you want. I of course shoved a reverse shell out over FBP (firewall bypass protocol aka TCP 443).

Delivery is simple enough, you create an email with a link (see my metagoofil post if you need help gathering those emails) and ask politely for users with elevated permissions on the network to click on it. You embed snapshot viewer code in that page, point the download location to somewhere fun like all users/startup, and tail -f /apache/access.log to see who browses the site, who enables the activeX control (your users do know better right? or you do have your default IE settings to high right?) and who downloads your binary. If all goes well, after lunch you'll have your shell :-)

POC code from secfocus: http://downloads.securityfocus.com/vulnerabilities/exploits/30114.html

The Art of Security and Why Security Vendors are the Root of All Internet Evil [Amrit Williams Blog]

Posted: 23 Jul 2008 11:17 PM CDT


I was reading a book entitled “A Whole New Mind: Why Right-Brainers Will Rule the Future”, it isn’t terribly well written and has the flow of an idea that was shoe-horned into a literary context, but interesting none the less. Anyway against the backdrop of DNSgate (btw - exploit code has been posted - here - thanks guys!) and the complete and utter failure of the security industry to offer anything beyond a never-ending hamster wheel of suites, widgets, add-ons, and modules, the book gave me pause as I reflected on what, for the most part, is a feeling of defeat and despair among security professionals.

This is a feeling that ebbs and flows with the conference season and peaks generally around mid-year with the introduction of clever methods of attack and exploitation presented in the carnival like atmosphere of a Blackhat or *con.

“Come one, come all, see the bearded lady swallow a flaming sword whilst revealing the latest virtual exploit guaranteed to introduce a completely undetectable malicious hypervisor as she rides on the shoulders of the worlds strongest man, who will devastate the entire Internet infrastructure in 10 seconds with a single finger”

Undetectable hyper-visors? 10 seconds to Internet destruction? 1,001 ways to craft a nefarious browser attack? Conceptually these are pretty scary, especially if you are reading your email and Robert Graham singles you out during one of his side-jacking presentations and shows the world how easy it is to own you and how careless you are for being owned - you wall of sheep know who you are - honestly who wouldn’t want to throw in the towel and acquiesce internet dominance to a 15 year old svelte Norwegian hacker with a bad skin condition or a gang of Nigerian spammers.

It would appear that doing business on the internet is like Dom Deluise swimming naked through shark-infested waters with an open wound while wearing a necklace of dead penguins and carrying a 3 lb salami.

It has been argued time and again that the bad-guys have the advantage, that we are on the losing side of the OODA loop, that for the most part we are simply sitting ducks and the best we can do is choose to not sit so close to the gaping jaws of a large crocodile and pray that we do not become prey. I contend that feeling is misguided and incorrect.

Although it has either been lost as inconsequential or we have been so blinded by the constant carpet-bombing of FUD marketing and the ongoing orgy of disclosure that we are simply numb to it, but we have an inherent advantage in that we use the right side of our brains, whereas the bad guys really have no need to, we are clever, we use art with science, we are driven to find the edge cases, we strive to find the unique and obscure - we believe it is the other way around, but that is a result of the complete incompetence of the major security vendors, who like the Diabetes product vendors, will forever keep us in a never-ending cycle of finger-pricking and insulin injecting security practices instead of actually solving the problem.

Wait, what, we have the advantage? I know it sounds like security blasphemy, but don’t jump off the roller-coaster of semi-rational fun just yet, we still need to ride through the loop de loop.

  • The majority of ground breaking security research and discoveries, especially of the “holy shit” variety, come from the good guys, not the bad
  • According to the recent Verizon breach disclosure statistics 85% of attacks are opportunistic, which leads one to believe that a. there is no reason for bad guys to find unique ways to exploit and b. we are still our own worst enemy.
  • There is no end in sight for the lack of security prowess ensuring an endless supply of easy targets for the bad guys to attack - remember if we believe that attacks are becoming more financially motivated then there is a cost-benefit analysis that will drive an attacker to take the easiest, least risky path to exploit.

The internet is resilient, business is even more so, and the good guys tend to spend more time on the problem than the bad guys.

Penetration testing tools - Nikto [Hackers Center Blogs]

Posted: 23 Jul 2008 06:00 PM CDT

Nikto is a web server security assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. Definately one of the most preferred free web app scanners available.

 

After a small vacation I'm back on the series of the best tools for web application penetration testers.  Last time we gave a look at dirb [...]

Bristol-Myers Employee Data On Stolen Tape [Liquidmatrix Security Digest]

Posted: 23 Jul 2008 05:20 PM CDT

OK, I’m out of bed and starting to feel a little more human.

So, first up. It seems that employees of the pharma giant Bristol-Myers Squibb are a little uneasy today. It turns out that a backup tape containing personal info on former and current staff was pilfered from the back of a delivery truck.

Well, that’s gotta suck.

From Network World:

However, according to a security breach notification letter sent by the firm to the New Hampshire Attorney General’s office, personal data of 458 residents of that state was stored on the stolen tape.

Hortas declined to disclose where the theft occurred or any other circumstances regarding the incident, citing an ongoing investigation by Bristol-Myers and law enforcement authorities. She also would not identify the third-party storage vendor hired by Bristol-Myers to transport the sensitive data.

I hope it wasn’t Iron Mountain again. They could use a break. While the 458 affected might seem like a small number consider this,

included the names, addresses, birthdays, Social Security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of the affected employees. In addition, the tape has Social Security and address information about dependents of former and current employees.

Now, that really sucks.

Article Link

Which Blogs Do I Read? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 23 Jul 2008 02:50 PM CDT

Somebody asked me what blogs do I read? I figured I'd post my answer here:

  1. First, a bunch of security blogs (actually, the amount did SHRINK a bit compared to before - security blogosphere is too darn noisy and the signal/noise ratio is dropping thru the floor ...): here is the link
  2. Travel blogs: here
  3. A few blogs on presenting and writing (and blogging): here
  4. A few career blogs: here
  5. Miscellaneous fun blogs: warfare, psywar, influence, etc
  6. Some VC, product management and general business blogs: here

In any case, hope it was useful!

Metasploit DNS Exploit Now Reality [RioSec]

Posted: 23 Jul 2008 11:33 AM CDT

As previously predicted, HD Moore has checked in an exploit for the DNS vulnerability originally discovered by Dan Kaminsky.  This auxiliary module is named "DNS BailiWicked Attack" (Auxiliary::Spoof::Dns::BailiWickedHost).  Written by |)ruid and hdm, this appears to be a fully functioning, easy to use exploit.

From the exploit module code:

read more

San Francisco locked out of its servers [Phillip Hallam-Baker's Web Security Blog]

Posted: 23 Jul 2008 11:27 AM CDT

A rogue system admin for the city of San Francisco locked the city computer systems and was holding the access key to ransom.


Fortunately the admin changed his mind after a conversation with his lawyers in the city cells, but still refused to give the code to anyone other than the mayor, forcing Major Newsom to visit the prison in person to retrieve the keys.


The scale is unusual but not the crime. Any business can have a disgruntled employee, no mater how well run the business or how fair the management is. they don't even need to be upset by their employer to take revenge on them in place of their real target. Placing a logic bomb can be a tempting means.


Many businesses that are involved in these events never recover. For many small businesses the data stored on their computer systems is their business. The attack need not be very sophisticated either, taking the disks out of the RAID array and tossing them from a bridge will work as well as a sophisticated hack. Its only if the attacker wants the attack to be reversible that sophistication is needed.


What can a business do to protect themselves? Keeping offsite backups for a start. Backing up the server is the job of the system administrator but making sure that the system is backed up is the responsibility of the CISO - and higher.


In the San Francisco case it is clear that the city gave too much control to a single individual - if the reports are accurate. It should not be possible for one person to have that level of access no matter how senior they are.


So why are businesses run the insecue way? I believe that a large part of the reason is to do with usability, which is one reason I am off to SOUPS at CMU today.

The Not-So-Sweet Life of Supplicants [Security Uncorked]

Posted: 23 Jul 2008 10:23 AM CDT

There are plenty of integration and configuration challenges when we look at 802.1X, but one of the most notable issues is choosing the right supplicant to best serve your end users.

Some of the major obstacles we face with 802.1X center around creating a smooth end user experience.  We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.”  (Sometimes they go on a little further, but I’ll leave it at that.)

Why does it matter?

Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important.

What are some of the problems?

The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.

  • First of all, the time to authenticate and connect to the network is going to drastically increase. I say drastically- it’s only a few seconds- but I’m sure it feels like minutes to a new 1X end user.
  • In addition, we’re in a transition and growing period where we’re trying to integrate and authenticate multiple pieces- the machine and/or user as well as any other clients residing on the endpoint, so there can be single-sign-on issues. Not SSO in the traditional sense, but single-1X-sign-on vs logging in to authenticate and open the port, logging in again to get to network resources (such as Novell).
  • There may also be issues supporting multiple profiles, so end users may need to understand the concept of enabling 802.1X on an interface at their office, then disabling it when they go home.
  • Or perhaps, in a shared or lab-type environment, we may have multiple unique users logging in to the same endpoint device, so we have to make it easy for end users to log off so there’s a forced re-auth for the next user.

There are plenty more, but this hits on the major concerns of most organizations planning to implement 802.1X (wired or wireless).

How do we address the issues?

There are different ways to deal with the complexity of supplicant and end-user interactions. First and foremost, a good end user training program will be needed. There’s a learning curve, but eventually end users will get it- we just have to make sure the transition for ‘now’ to ‘got it’ is smooth and doesn’t overwhelm help desk resources.

As the operating systems and clients progress, we’re seeing more integration and the ability to share 802.1X information between disparate pieces of the endpoint.

In the meantime, there are also 3rd-party supplicants that can ease several of the pains. Cisco’s Secure Services Client  (acquired from Meetinghouse’s Aegis supplicant) and Juniper’s Odyssey Access Client  (acquired from Funk) both offer options and configurations not currently available in native OS supplicants. (For example, both offer the GINA shim for integrating Windows 1X login with Novell as well as multiple profile support.) Although I haven’t tried it, my understanding is you can still operate both of these clients independent of the controllers provided from the same vendor.

Is it a deal-killer?

It can be. The struggle to provide a smooth transition for end users is often a deal-killer for organizations looking at deploying 802.1X. Although there are ways to combat most of these obstacles; often the time, planning and money required to proceed make it unattractive enough to abandon the project. In most cases, the more heterogeneous the endpoint environment is, the less attractive the solution becomes. In an all-Microsoft environment, you can have an 802.1X framework up in a matter of hours. With a mix of authentication directories, endpoint OSs and user expectations, you could spend weeks or months ironing out the details.

The good news.

Yes, there’s some good news here. The increased adoption of 802.1X is continually leading to increased integration of the software, operating systems and clients on endpoints. While 802.1X may never reach ‘plug-and-play’ status, pretty soon the integration will reach a point where configuration is simplified enough for more wide-spread adoption, even in the most diverse environments.

Just hang tight, we’ll get there!

# # #

Good stuff in the SCC [Andy, ITGuy]

Posted: 23 Jul 2008 09:38 AM CDT

I just wanted to take a minute and point you to a couple of good conversations going on in the Security Catalysts Community.

Stop by and check these and the other posts out. This is a great place to get information, interact with other security professionals and stay on top of your game.

Wired 802.1X and Windows XP SP3- Yes you can! [Security Uncorked]

Posted: 23 Jul 2008 08:59 AM CDT

I’ve gotten a lot of questions recently about using 802.1X on the wired interface with Windows XP SP3. In the past few weeks I’ve also stumbled across a lot of forum posts, blogs and articles stating you ‘can’t do wired 802.1X with XP SP3.”

Well, sure you can! There is a little trick now, though.

As part of the move to the Microsoft NAP integration, they’ve broken out the wired and wireless supplicant management into two pieces. Until SP3, all 1X was handled in the Wireless Zero Configuration (WZCSVC) service. The wired 1X supplicant is handled now by a different service and must be manually started.

In Windows XP SP3, the supplicants are each handled separately by these services…
    •  Wireless 802.1X: WZCSVC service
    •  Wired 802.1X: Wired AutoConfig service (DOT3SVC)

How do you start the Wired AutoConfig service? Two ways, the end user (or admin) can do it manually on the endpoint, or you can push it out with group policies.

Instead of duplicating a lott’a text, you can find detailed instructions for manual and pushed wired 1X configurations on Microsoft KB article 953650.

You can also learn more about Microsoft NAP integration in the Network Access Protection Q&A site.

# # #

For your hacking pleasure - Cold Boot utilities released! [Data-Centric Protection and Management]

Posted: 23 Jul 2008 08:32 AM CDT

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

Hoff: DNS Debacle In Poetic Review [Liquidmatrix Security Digest]

Posted: 23 Jul 2008 05:41 AM CDT

T.S. Eliot, eat your heart out.

A poetic contribution from Chris Hoff, “The DNS Debacle In Poetic Review“.

Love it.

Tags: , , , ,

On DNS [Anton Chuvakin Blog - "Security Warrior"]

Posted: 23 Jul 2008 12:24 AM CDT

I was preparing a long and thoughtful post on the "DNS issue" (mentioning this, this, this, etc), but it was all in vain.

This is the last and final word on it. Thanks Rich for the link (he understates and calls it just "genius" :-))

All bow to Hoff's wisdom - and poetic super-powers, of course :-)

Links for 2008-07-22 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 23 Jul 2008 12:00 AM CDT

Pure Genius [securosis.com]

Posted: 22 Jul 2008 11:45 PM CDT

There is nothing else to say.

(Hoff claims he wrote it in 8 minutes).

The DNS Debacle In Poetic Review [Rational Survivability]

Posted: 22 Jul 2008 11:32 PM CDT

A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw

He decided than rather
to disclose all at once
he'd instead only tell people
who'd fix it in months

So some meetings were had
and work soon began
vendors wrote patches
coordinated by Dan

Fast forward some time
out the closet it came
some researcher types
got into the game

Dan's rules were quite simple,
that in 30 days
he'd present during Blackhat
and we'll all be amazed

A bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuff

So Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsided

It seems that Dan's warnings
weren't baseless at all
Said the same skeptical hackers
"the risk isn't that small!"

So Blackhat was nearing
the web didn't break
then out came a theory
from our friend Halvar Flake

No sooner had he posted
and described the vuln's guts
than Matasano's blog surfaced,
kicked the web in the nuts

It said "Halvar's right!"
we'll no longer keep quiet.
The post's ripple effect
caused a nasty 'net riot

The blog quickly was pulled
but the cat's out of the bag
the arms race began
since there's no longer a gag

Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bust

So Dan's days of thirty
we never did see
thirteen is OK
but I issue this plea

When researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?

This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have known

If the point here is really
to secure and protect
then consider what image
you really project

In this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiled

The arms race has started
and the clock now is ticking
If you haven't yet patched
you'll soon take a licking

I'm not taking sides really
on the disclosure debate
but rather the topic
of patch early or late

What good is disclosure
if the world couldn't cope
with the resultant attacks
if we've all got just hope?

There's two sides to this issue
both deserve merit
but Dan's rep has been smeared
I say let's just clear it

--

Happy patching everyone! ;(

/Hoff

At SANSFIRE 2008 in Washington, DC [Anton Chuvakin Blog - "Security Warrior"]

Posted: 22 Jul 2008 09:01 PM CDT

I just landed at Washington, DC to speak at SANSFIRE tomorrow (my Lunch and Learn on "Log Management 'Worst Practices'" is on Wednesday, July 23rd - come over, it will be fun!)

LogLogic Lunch and Learn Presentation
- "Worst Practices" of Log Management
- Speaker: Dr. Anton Chuvakin, GCIA, GCIH, GCFA
- Wednesday, July 23rd, 2008 * 12:30pm - 1:15 pm

Want to learn all the embarrassing mistakes and pitfalls that await you on the path to log management nirvana? Attend "'Worst Practices' of Log Management" presentation by LogLogic's Logging Evangelist Dr Anton Chuvakin that covers all the things that can go wrong while planning, evaluating, deploying and running a log management solution. Insufficient planning, unrealistic expectations, choosing tools on price alone, lack of logging configuration guidance are among such "worst practices." Each common "worst practice" will be accompanied by suggestions to avoid the errors and do things correctly! Everybody touts "best practices", but this is the place to learn how to avoid the opposite - and have fun in the process.

if you want to meet, drop me an email/call or just show up for "lunch and learn." Unfortunately, I am going back right after my presentation tomorrow...

No DNS Disclosure Debacle Here: Stiennon Pens the Funniest Thing I've Read in 2008... [Rational Survivability]

Posted: 22 Jul 2008 05:46 PM CDT

Clownnose Hat tip to Rothman for this.

I don't know if Stiennon is off his meds or simply needed to re-post something from 2001 to meet an editorial quota, but his Network World article titled "The Most Important Networking Trend of 2008" ties thus far with the "Evolution of Dance" as my vote for most entertaining Internet content.

Richard's epiphany goes something like this:

  • Multifunction network devices that have the ability to "route" traffic and combine security capabilities are the 'next big thing'

  • If a company offers a multifunction network device that has the ability to "route" traffic and combine security capabilities but have the misfortune of using Linux as the operating system, they will "...forever be pigeon-holed as SMB solutions, not ready for enterprise prime time."

  • The Wall Street Journal issued "... the year's most important article on networking" in an article titled "New Routers Catch the Eyes of IT Departments" which validates the heretofore undiscovered trend of convergence and commoditization!
     
  • "Real" network security players such as Cisco, Juniper and Redback are building solutions to this incredible new trend and because of the badge on the box, will be considered ready for "...enterprise prime time."
     
  • The WSJ article talks about the Cisco ASR1000 router as the penultimate representation of this new breed of converged "network security" device.
     
  • Strangely, Stiennon seems to have missed the fact that the operating system (IOS-XE) that the ASR1000 is based on is, um, Linux.  You know, that operating system that dictates that this poor product will "...forever be pigeon-holed as SMB solutions, not ready for enterprise prime time."

Oh, crap!  Somebody better tell Cisco!

So despite the fact that Cisco ASR1000 is positioned as an edge device as are these crazy solutions called UTM devices, it seems we're all missing something because somehow a converged edge device now counts as being able to provide a "secure network fabric?"

In closing, allow me to highlight the cherry on top of Stiennon's security sundae:   

Have you ever noticed how industry "experts" tend to get stuck in a rut and continue to see everything through the same lens despite major shifts in markets and technology?

Yes, Richard, I do believe I have noticed this...

Funny stuff!

/Hoff

No comments: