17. January 2011 · Comments Off on Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek · Categories: blog · Tags: , , ,

Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek.

The three tools described in this article are Tor (The Onion Router), Circumventor, and Glype. If you are unfamiliar with them, here is a brief description. The article provides a deeper analysis of them.

TorTor is nominally used for the sake of anonymity, but also works as a circumvention tool, and its decentralized design makes it resilient to attacks. It started as a U.S. Naval Research Laboratory project but has since been developed by a 501(c)(3) nonprofit, and is open source software available for a variety of platforms. Human Rights Watch, Reporters without Borders, and the United States International Broadcasting Bureau (Voice of America) all advocate using Tor as a way to avoid compromising one’s anonymity. With a little care, it can also be used to route around information blocking.


Circumventor – Developed by Bennett Haslelton of the anti-Internet-censorship site Peacefire.org, Circumventor works a little bit like Tor in that each machine running the Circumventor software is a node in a network.

Circumventor is most commonly used to get around the Web-blocking system in a workplace or school. The user installs Circumventor on an unblocked PC — e.g., their own PC at home — and then uses their home PC as a proxy. Since most blocking software works by blocking known Web sites and not random IP addresses, setting up a Circumventor instance ought to be a bit more effective than attempting to use a list of proxies that might already be blocked.

Glype – The Glype proxy has been created in the same spirit as Circumventor. It’s installed on an unblocked computer, which the user then accesses to retrieve Web pages that are normally blocked. It’s different from Circumventor in that it needs to be installed on a Web server running PHP, not just any old PC with Internet access. To that end, it’s best for situations where a Web server is handy or the user knows how to set one up manually.

While these tools are used in certain countries to bypass censorship, in the U.S. they are mostly used to bypass organizational firewall policies.

In order to block these tunneling and proxy applications, organizations have turned to Palo Alto Networks, the leading Next Generation Firewall manufacturer.

However, the real issue is much bigger than blocking the three most popular tools for bypassing traditional stateful inspection firewalls. Or even peer-to-peer applications. The real goal is to enable a Positive Control Model, i.e. only allow the applications that are needed and block everything else. This is a much harder goal to achieve. Why?

In order to achieve a Positive Control Model, your firewall, not your IPS, has to be able to identify every application you are running. So in addition to the applications the firewall manufacturer identifies, the firewall must give you the ability to identify your home-grown proprietary applications. Then you have to build policies (when possible leveraging your directory service) to control who can use which applications.

Once you have implemented the policies covering all the identified applications the organization is using, and who can use them, then the final policy rule can be, “If application is unknown, then deny.”

Once you have implemented the Positive Control Model, you don’t really care about the next new proxy or peer-to-peer application that is developed. It’s the Negative Control Model that keeps you the never-ending cycle of identifying and blocking every possible undesirable application in existence.

Achieving this Positive Control Model is one of the primary reasons organizations are deploying Palo Alto Networks at the perimeter and on internal network segments.

04. January 2011 · Comments Off on Technical botnet takedowns useless. Technical controls needed. · Categories: blog · Tags: , , , , ,

TrendMicro’s 2010 in Review: No Recession for Cybercrime notes the ineffectiveness of several of the publicized botnet takedowns.

The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March but, as we noted at the time, the spam levels remained unchanged.

The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.

What does this mean to the enterprise? You are on your own. Given the ease with which new botnets can be created and their geographic distribution, the arrests will be interesting but will not significantly reduce the botnet threat.

Cymbel provides three complementary solutions which help you mitigate the risks of botnets:

  • Palo Alto NetworksNext Generation Firewall with integrated Intrusion Prevention, URL Filtering, and botnet command and control communications detection.
  • FireEye – Heuristics-based malware detection with sandboxed suspicious code execution to minimize false positives.
  • Seculert – SaaS-based, External Threat Intelligence which alerts you on your compromised systems by monitoring the botnets themselves.
06. December 2010 · Comments Off on Enterprises Riding A Tiger With Consumer Devices | threatpost · Categories: blog · Tags: , , , , ,

Enterprises Riding A Tiger With Consumer Devices | threatpost.

George Hulme highlights two technology trends which are increasing enterprise security risks – employee-owned smartphones and Web 2.0 applications including social networking.

Today, more than ever, employees are bucking efforts to be forced to work on stale and stodgy corporate notebooks, desktops or clunky, outdated mobile phones. They want to use the same trendy smart phones, tablets, or netbooks that they have at home for both play and work. And that, say security experts, poses a problem.

“If you prohibit access to the services people want to use for their jobs, they end up ignoring you and doing it from their own phone or netbook with their own data connection,” says Josh Corman, research director, security at the analyst firm 451 Group. “Workers are always going to find a way to share data and information more efficiently, and people will always embrace ways to do their job as effectively as possible.”

To control and mitigate the risks of using Web 2.0 applications and social networking, we’ve been recommending to and deploying for our clients Palo Alto Networks’ Next Generation Firewalls.

Palo Alto posted a well written response to Hulme’s article, Which is Riskier: Consumer Devices or the Applications in Use? Clearly, Palo Alto’s focus is on (1) controlling application usage, (2) providing intrusion detection/prevention for allowed applications, and (3) blocking the methods people have been using (remote access tools, external proxies, circumventors) to get around traditional network security solutions.

We have been big supporters of the thinking that the focus of information security must shift from protecting devices to protecting information. That is the core of the next generation defense-in-depth architecture we’ve assembled.

Corman agrees that the focus needs to shift from protecting devices to protecting data. “Security managers need to focus on the things they can control. And if they can control the computation platforms, and the entry and exit points of the network, they can control the access to sensitive data, regardless of who is trying to access it,” he says. Corman advises enterprises to deploy, or increase their focus on, technologies that help to control data access: file and folder encryption, enterprise digital rights management, role-based access control, and network segmentation.

Having said that, we are currently investigating a variety of new solutions directly aimed at bringing smartphones under enterprise control, at least for the enterprise applications and data portion of smartphone usage.

27. November 2010 · Comments Off on Securosis Blog | No More Flat Networks · Categories: blog · Tags: , ,

Securosis Blog | No More Flat Networks.

Mike Rothman at Securosis is tentatively calling for more internal network segmentation in light of the Stuxnet worm. We here at Cymbel, who have been recommending Palo Alto Networks for its ability to define security zone policies by application and LDAP user group for the last three years, say welcome.

Using firewalls on internal networks to define zones is not new with Palo Alto. Netscreen (now Juniper) had the zone concept ten years ago.

Palo Alto was the first, and, as far as I know, is still the only firewall vendor that enables you to classify traffic by application rather than port. Therefore you can implement a Positive Control Model from the network layer up through the application layer. Therefore, with some work over time, you can implement the “unknown application – deny” rule. In other words, if there is application traffic for which no policies are defined, deny it.

15. November 2010 · Comments Off on Network Forensics Blog » Blog Archive » Network Forensics and Reversing Part 1 – gzip web content, java malware, and a little JavaScript · Categories: blog · Tags: , , ,

Network Forensics Blog » Blog Archive » Network Forensics and Reversing Part 1 – gzip web content, java malware, and a little JavaScript.

Something I’ve found unsettling for some time now is the drastically increased usage of gzip as a Content-Encoding transfer type from web servers. By default now, Yahoo, Google, Facebook, Twitter, Wikipedia, and many other organizations compress the content they send to your users. From that list alone, you can infer that most of the HTTP traffic on any given network is not transferred in plaintext, but rather as compressed bytes.

The post goes on to claim that most network security solutions are blind to gzipped web traffic.

While I have not done a survey of “most” network security solutions, I can say for sure that Palo Alto Network does automatically decompress gzipped content in hardware and then inspect and apply policies.

14. November 2010 · Comments Off on What Web Apps Are Employees Using at Work? · Categories: blog · Tags: , ,

What Web Apps Are Employees Using at Work?.

Here is a summary of Next Generation Firewall vendor, Palo Alto Networks‘ semi-annual Application Usage and Risk Report‘s findings:

Web Mail and Instant Messaging are the most popular applications. Gmail, which is SSL encrypted is the most popular by traffic rate. Hotmail and Yahoo claim more users but are behind Gmail in usage. They are also moving to SSL encryption. If your network security solutions cannot decrypt SSL, you are blind to this traffic and potential data leak vector.
Facebook dominates social networking. No surprise here, but it does highlight the need for being able to monitor and control social networking using a more fine-grained approach than URL blocking, since there are business benefits to allowing some people, particularly sales and marketing, access to certain functions.

File sharing shifting to the browser. The implication is that blocking peer-to-peer file sharing is not sufficient to control file sharing any more.

10% of the applications found can be considered “Enterprise Cloud.” This covers applications like WebEx, GoToMeeting, Salesforce.com, Microsoft Office Live, and Google Docs.

26. October 2010 · Comments Off on Easy fix for Firesheep creates a problem for enterprises · Categories: Malware, Palo Alto Networks · Tags: , , , , ,

Using SSL encryption to connect to social networks like Facebook and Twitter mitigates the risk of your credentials being stolen when you are using public WiFi networks to connect to the Internet. But it creates a problem for enterprises attempting to control the use of social networking because most firewalls and Intrusion Prevention Systems are blind to SSL traffic.

The recent publication of Firesheep, and the subsequent download of over 104,000 copies of the Firefox plug-in in the last 24 hours, highlights this well understood security flaw in the way social networking sites communicate with their users. Firesheep sniffs the WiFi network traffic to capture your user name and the established session ID for any of 26 sites including Facebook, Twitter, Amazon, and the NYTimes. This allows the Firesheep user to access any of these sites as you!! This not only will reveal your personal information to the Firesheep user, but allow him/her to impersonate you.

This article, Firefox Add-on Firesheep Brings Hacking to the Masses, provides a very good detailed explanation of how Firesheep works. The article also describes several readily available tools which enable or force the use of SSL for all traffic to sites that accept SSL. In other words, rather than just encrypting the exhange of identification and password credentials, all traffic is encrypted.

There is no doubt that using SSL is a good privacy protection control. However, SSL encrypted sessions will make it more difficult for enterprises to control the use of social networking because most firewalls and IPSs are not capable of decrypting SSL traffic. In other words, most firewalls and IPSs are blind to SSL traffic. An exception is Palo Alto Networks, the industry leading Next Generation Firewall.

13. October 2010 · Comments Off on Outgunned: How Security Tech Is Failing Us — InformationWeek · Categories: blog · Tags: , , , , , ,

Outgunned: How Security Tech Is Failing Us — InformationWeek.

Our testing shows we’re spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?

Greg Shipley has written an excellent article about the state of information security. The hard copy version in this week’s InformationWeek magazine sums up the situation – “Epic Fail.”

…collectively, we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.

Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.

Greg points out what we’ve been saying for the last three years:

…sometime in the last few years a number of our key security technology controls crossed that threshold and ceased to be effective, yet as an industry we have yet to adjust. We’re pouring billions of dollars–literally–into security products that are gaining us very little. We don’t retire anything but rather pile on more layers, leading to increased complexity, expense, and exposure.

One of the big three security technology controls Greg calls out is firewalls. I would be more specific and say “stateful inspection” firewalls. These have been the staple of network security for 15 years. But Web 2.0 applications and social networking breeze right by the stateful inspection firewall. In fact, the stateful inspection firewall provides practically no control or protection at all.

Fortunately, we have begun to see the rise of what Gartner calls the Next Generation Firewall as exemplified by Palo Alto Networks. NextGen Firewalls are application aware and more importantly enable you to build policies based on applications and users rather than ports, protocols, and IP addresses.

Greg’s four recommendations are:

1) Start spending money on controls that are more in line with threats. This is in fact why Cymbel has embraced (and enhanced) the SANS 20 Critical Security Controls for Effective Cyber Defense. Controls were selected based knowledge of exploits. For example, Controls #1 and #2 are about Discovery of network assets and the software running on them. Unknown and/or unmanaged devices will thwart a patch management program every time.

2) Adjust assumptions and put to rest some age-old debates. For example the insider vs. outsider debate. Due to what we call the ‘inside-out” attack vector, the outside attacker becomes an insider once the attacker steals the insider’s credentials. We discuss this in more detail in the Threats section of the Five Forces of Change. This is why internal network segmentation based on application and user policies has become critical.

3) Stop rewarding ineffectiveness and start rewarding innovation. Here Greg repeats his observations about the ineffectiveness of (stateful inspection) firewalls and antivirus. It is for this reason that we developed our Next Generation Defense-in-Depth architecture, which features real, proven, innovative solutions which mitigate these new threats. Another good example is FireEye, which prevents 0-day and unknown malware attacks using heuristics plus virtual sandboxes to test suspicious code. The virtual sandbox capability practically eliminates false positives, the bane of heuristics-based intrusion prevention systems.

4) Know when security products cannot help you. Technology is not always the answer. Our Approach, based on the SANS 20 Critical Controls acknowledges this as well. While the first 15 are automation oriented, the last five are not: Secure Network Engineering, Penetration Testing, Incident Response Capability, Data Recovery Capability, Security Training.

The validation of our approach to information security is gratifying. Thanks Greg.

06. October 2010 · Comments Off on Defending against Stuxnet · Categories: Malware, Palo Alto Networks · Tags: ,

Palo Alto Networks Stuxnet – SCADA malware blog post describes all four Stuxnet vulnerabilities and how to defend against them.

The answer is a combination of policies which:

  • Block .LNK and .PIF files coming from the Internet to a private network
  • Disable RPC application traffic from the Internet to a private network
  • Deploy vulnerability protection profiles using the specific Palo Alto vulnerability signatures they developed to detect all four of the Windows vulnerabilities Stuxnet exploits.

This week Palo Alto Networks is releasing two new signatures which protect against the last of the four vulnerabilities, CVE-2010-2772. Microsoft does not have a patch for this one yet.

23. February 2010 · Comments Off on FTC warns 100 organizations about leaked data via P2P · Categories: Breaches, Next Generation Firewalls, Privacy · Tags: , , , ,

CNet News reported yesterday afternoon that:

The U.S. Federal Trade Commission has notified nearly 100
organizations that data from their networks has been found on
peer-to-peer file-sharing networks, the agency said on Monday.


The FTC notices went to private and public entities, including schools
and local government agencies and organizations with as few as eight
employees to as many as tens of thousands, the FTC said in a statement.
The sensitive information about customers and employees that was leaked
could be used to commit identity fraud, conduct corporate espionage,
and for other crimes.

Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse – the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.

Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.

For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.