17. January 2011 · Comments Off on Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek · Categories: blog · Tags: , , ,

Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek.

The three tools described in this article are Tor (The Onion Router), Circumventor, and Glype. If you are unfamiliar with them, here is a brief description. The article provides a deeper analysis of them.

TorTor is nominally used for the sake of anonymity, but also works as a circumvention tool, and its decentralized design makes it resilient to attacks. It started as a U.S. Naval Research Laboratory project but has since been developed by a 501(c)(3) nonprofit, and is open source software available for a variety of platforms. Human Rights Watch, Reporters without Borders, and the United States International Broadcasting Bureau (Voice of America) all advocate using Tor as a way to avoid compromising one’s anonymity. With a little care, it can also be used to route around information blocking.


Circumventor – Developed by Bennett Haslelton of the anti-Internet-censorship site Peacefire.org, Circumventor works a little bit like Tor in that each machine running the Circumventor software is a node in a network.

Circumventor is most commonly used to get around the Web-blocking system in a workplace or school. The user installs Circumventor on an unblocked PC — e.g., their own PC at home — and then uses their home PC as a proxy. Since most blocking software works by blocking known Web sites and not random IP addresses, setting up a Circumventor instance ought to be a bit more effective than attempting to use a list of proxies that might already be blocked.

Glype – The Glype proxy has been created in the same spirit as Circumventor. It’s installed on an unblocked computer, which the user then accesses to retrieve Web pages that are normally blocked. It’s different from Circumventor in that it needs to be installed on a Web server running PHP, not just any old PC with Internet access. To that end, it’s best for situations where a Web server is handy or the user knows how to set one up manually.

While these tools are used in certain countries to bypass censorship, in the U.S. they are mostly used to bypass organizational firewall policies.

In order to block these tunneling and proxy applications, organizations have turned to Palo Alto Networks, the leading Next Generation Firewall manufacturer.

However, the real issue is much bigger than blocking the three most popular tools for bypassing traditional stateful inspection firewalls. Or even peer-to-peer applications. The real goal is to enable a Positive Control Model, i.e. only allow the applications that are needed and block everything else. This is a much harder goal to achieve. Why?

In order to achieve a Positive Control Model, your firewall, not your IPS, has to be able to identify every application you are running. So in addition to the applications the firewall manufacturer identifies, the firewall must give you the ability to identify your home-grown proprietary applications. Then you have to build policies (when possible leveraging your directory service) to control who can use which applications.

Once you have implemented the policies covering all the identified applications the organization is using, and who can use them, then the final policy rule can be, “If application is unknown, then deny.”

Once you have implemented the Positive Control Model, you don’t really care about the next new proxy or peer-to-peer application that is developed. It’s the Negative Control Model that keeps you the never-ending cycle of identifying and blocking every possible undesirable application in existence.

Achieving this Positive Control Model is one of the primary reasons organizations are deploying Palo Alto Networks at the perimeter and on internal network segments.

05. January 2011 · Comments Off on How Will Technology Disrupt the Enterprise in 2011? · Categories: blog · Tags: , , , , ,

How Will Technology Disrupt the Enterprise in 2011?.

Constellation Group’s Ray Wang lists five core disruptive technologies: social, mobile, cloud, analytics, and unified communications.

What’s interesting to us at Cymbel is that each of them require rethinking compliance and security to mitigate the new risks their deployments create for the enterprise. In other words, inadequately addressing the security and compliance risks around these technologies will inhibit deployment.

What are the risks?

  • Social – The new threat vector – the “inside-out” attack, i.e. rather than having to penetrate the enterprise from the outside-in, all a cybercriminal has to do is lure the insider to an external malware-laden web page.
  • Mobile – All the types of attacks we’ve seen over the years against desktops and laptops are finding their way onto smart phones.
  • Cloud – Will you put trade secrets and PII out in a public cloud deployment without protecting them from third party access? How will you verify that no third parties, like the administrators at SaaS companies are not accessing your data?
  • Analytics – Good security technology has only recently taken hold for traditional relational databases that rely on the SQL access language. The new analytics are about new ways of storing and accessing data for analysis. How do you monitor and control access?
  • Unified Communications – Attempting to apply traditional IPSec VPN technology to converged data, voice, and video networks creates unacceptable latency issues and unstable session connections. And MPLS itself does not provide encryption.

Cymbel’s mission is to provide the information security and compliance solutions which enable these technologies. We help our clients rethink and re-implement defense-in-depth.

Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.”

As an Information Security and Compliance Solution Provider, we are enablers of technology change.

04. January 2011 · Comments Off on Technical botnet takedowns useless. Technical controls needed. · Categories: blog · Tags: , , , , ,

TrendMicro’s 2010 in Review: No Recession for Cybercrime notes the ineffectiveness of several of the publicized botnet takedowns.

The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March but, as we noted at the time, the spam levels remained unchanged.

The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.

What does this mean to the enterprise? You are on your own. Given the ease with which new botnets can be created and their geographic distribution, the arrests will be interesting but will not significantly reduce the botnet threat.

Cymbel provides three complementary solutions which help you mitigate the risks of botnets:

  • Palo Alto NetworksNext Generation Firewall with integrated Intrusion Prevention, URL Filtering, and botnet command and control communications detection.
  • FireEye – Heuristics-based malware detection with sandboxed suspicious code execution to minimize false positives.
  • Seculert – SaaS-based, External Threat Intelligence which alerts you on your compromised systems by monitoring the botnets themselves.