|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
|News||See also||Recommended Links||Router Security||Smurf attack||Scanners|
|Firewalls||Packet Generation Tools||Firewalls||DNS||DoS_attacks||Sniffers||TCP Wrappers|
|Port Scanners||Port Scan Detectors||Perl Scripts||Honeypots||CGI Security||Humor||Etc|
Local cretinism is the historical curse of the security
This class will focus on network security. Topics will include the design and structure of secure Ethernet-based networks as well as using tools like snort for discovering properties of traffic flows and creating policies to control them.
For the most part, our focus on network security will not include issues of host OS security; e.g, we are not so much interested in host-centric security mechanisms like file or multi-user process access control. Instead we focus on network-side security management including both passive measures like firewall defense schemes (packet filters, proxy/bastion hosts, and hybrids therein) and newer network security protocols like IPSEC, secure shell (SSH), and SSL. We may include email security, and/or Kerberos if we have time.
We will also look at certain common open source tools.
The key approach to the network security is so called "policy-based" approach. That's why firewalls became such a successful and popular tool. They just enforce certain network access policy.
Dr. Nikolai Bezroukov
Jul 22, 2009 | Insecure.org
"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/ . This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this."
Talks about the network policy concept in greater depth, and see how it is implemented in the Solaris[tm] Bandwidth Manager software.
1. Network Security Assessment
The Business Benefits
IP: The Foundation of the Internet
Classifying Internet-Based Attackers
Assessment Service Definitions
Network Security Assessment Methodology
The Cyclic Assessment Approach
2. The Tools Required
The Operating Systems
Free Network Scanning Tools
Commercial Network Scanning Tools
Protocol-Dependent Assessment Tools
3. Internet Host and Network Enumeration
Web Search Engines
Enumeration Technique Recap
4. IP Network Scanning
TCP Port Scanning
UDP Port Scanning
IDS Evasion and Filter Circumvention
Low-Level IP Assessment
Network Scanning Recap
Network Scanning Countermeasures
5. Assessing Remote Information Services
Remote Information Services
systat and netstat
Remote Information Services Countermeasures
6. Assessing Web Services
Identifying the Web Service
Identifying Subsystems and Components
Investigating Web Service Vulnerabilities
Accessing Poorly Protected Information
Assessing CGI Scripts and Custom ASP Pages
Web Services Countermeasures
7. Assessing Remote Maintenance Services
Remote Maintenance Services
Microsoft Remote Desktop Protocol
Remote Maintenance Services Countermeasures
8. Assessing FTP and Database Services
FTP Banner Grabbing and Enumeration
FTP Brute-Force Password Guessing
FTP Bounce Attacks
Circumventing Stateful Filters Using FTP
FTP Process Manipulation Attacks
FTP Services Countermeasures
Microsoft SQL Server
Database Services Countermeasures
9. Assessing Windows Networking Services
Microsoft Windows Networking Services
Microsoft RPC Services
The NetBIOS Name Service
The NetBIOS Datagram Service
The NetBIOS Session Service
The CIFS Service
Unix Samba Vulnerabilities
Windows Networking Services Countermeasures
10. Assessing Email Services
Email Service Protocols
POP-2 and POP-3
Email Services Countermeasures
11. Assessing IP VPN Services
Attacking IPsec VPNs
Check Point VPN Security Issues
VPN Services Countermeasures
12. Assessing Unix RPC Services
Enumerating Unix RPC Services
RPC Service Vulnerabilities
Unix RPC Services Countermeasures
13. Application-Level Risks
The Fundamental Hacking Concept
The Reasons Why Software Is Vulnerable
Network Service Vulnerabilities and Attacks
Classic Buffer-Overflow Vulnerabilities
Format String Bugs
Memory Manipulation Attacks Recap
Mitigating Process Manipulation Risks
Recommended Secure Development Reading
14. Example Assessment Methodology
Accessible Network Service Identification
Investigation of Known Vulnerabilities
Network Service Testing
Methodology Flow Diagram
A. TCP, UDP Ports, and ICMP Message Types
ICMP Message Types
B. Sources of Vulnerability Information
Security Mailing Lists
Vulnerability Databases and Lists
Underground Web Sites
Security Events and Conferences
Updated 27-Dec-01 Router Security Configuration Guide, Executive Summary (65KB)
Updated 27-Dec-01 Router Security Configuration Guide (2,390KB)
5000 and 6000 and also 2948G and 2900 models, running CatOS may be susceptible to denial of service (DoS) attacks by use of a buffer overflow vulnerability in Telnet. Cisco is offering free software upgrades to the switches affected by the vulnerability.
[Jan 25, 2002] Architecting Secure Network Topologies -- Your application may not be as safe as you think it is. Learn how to secure your network from the bottom up by getting the details on such topics as VLANs, VPNs, and the DMZ.
Defining Strategies to Protect Against UDP Diagnostic Port ...
Cisco Router Software Glitch Opens Security Hole (July 03, 2000)
Softpanorama hot topic of the month
Download the Supporting Documents -- National Security Agency
Cisco Enterprise Network Security
Denial of Service CS155 Spring Quarter
Network Attack and Defense
Computer Crimes Examples of Network Security Attacks
Denial-of-service attack - Wikipedia, the free encyclopedia
Exam Cram Insider, Issue 67 Specializing in Cisco Security
Updated 27-Dec-01 Router Security Configuration Guide, Executive Summary (65KB)
Updated 27-Dec-01 Router Security Configuration Guide (2,390KB)
Note: All real ip addresses have been changed to the reserved 169.254.92.0 network.
! Beginning of access-list 101
! Deny rfc 1918 addresses:
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
! Deny packets with localhost, broadcast and multicast addresses:
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 22.214.171.124 126.96.36.199 any log
! Deny packets without ip address.
access-list 101 deny ip host 0.0.0.0 any log
! Prevent spoofing. Deny incoming packets that have
! our internal address:
access-list 101 deny ip 169.254.92.0 0.0.0.255 any log
! More spoofing prevention. Insert ip address of external
! router interface ip address:
access-list 101 deny ip host 169.254.8.78 any log
! If you run any listeners, NFS or Xwindows add those
! ports here.
! access-list 101 deny tcp any any eq 2000 log
! access-list 101 deny tcp any any eq 2001 log
! access-list 101 deny tcp any any eq 6000 log
! access-list 101 deny tcp any any eq 6001 log
! Allow only ACKed tcp packets to our network:
access-list 101 permit tcp any 169.254.92.0 0.0.0.255 gt 1023 established
! Allow only specific ICMP:
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 0 ! net-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 1 ! host-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 3 ! port-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 4 ! packet-too-big
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 13 ! administratively-prohibited
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 4 ! source-quench
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 11 0 ! ttl-exceeded
! Allow smtp traffic to mail servers only:
access-list 101 permit tcp any host 172.29.92.15 eq smtp
access-list 101 permit tcp any host 172.29.92.108 eq smtp
! Allow incoming dns traffic to name servers only:
! Note: Probably best to limit tcp domain traffic to specific servers.
access-list 101 permit tcp any host 169.254.92.15 eq domain log
access-list 101 permit tcp any host 169.254.92.13 eq domain log
access-list 101 permit udp any host 169.254.92.15 eq domain
access-list 101 permit udp any host 169.254.92.13 eq domain
! Allow ntp to time server:
! See: http://www.eecis.udel.edu/~ntp/
access-list 101 permit udp any eq 123 host 169.254.92.38 eq 123
! Allow incoming news traffic to nntp server only:
access-list 101 permit tcp any host 169.254.92.103 eq nntp
! For ftp clients:
! Not very secure. The alternative is to remove this and
! force clients into passive mode.
access-list 101 permit tcp any eq 20 169.254.92.0 0.0.0.255 gt 1023
! We deny ident. We're not sure if it's secure. Entry is here
! to keep log files from filling up:
access-list 101 deny tcp any any eq 113
! Log everything that does not meet the above rules.
access-list 101 deny ip any any log
! End of access-list 101
! Add this to external interface of screening router:
no ip directed-broadcast
no ip proxy-arp
no ip unreachables ! Don't send icmp for denied items in access-list.
! Apply access list to external interface:
ip access-group 101 in
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
! ip accounting access-violations
! Beginning of access-list 102
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
! Don't allow internal hosts to send icmp.
access-list 102 deny icmp any any log
! Only allow packets from our network.
access-list 102 permit ip 169.254.92.0 0.0.0.255 any
! Log everything else:
access-list 102 deny ip any any log
! End of access-list 102
! Apply access list 102 to outbound external interface
! or inbound on internal interface.
Additional items to add to config:
no cdp run
no service finger
no service udp-small-servers
no service tcp-small-servers
no ip source-route
no ip bootp server
no ip http server
no ntp master
no ip domain-lookup ! If you don't have a name server.
no logging console ! Save cpu cycles.
! Cisco NTP information:
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone PST -8 ! My timezone.
clock summer-time zone recurring
ntp source e0 ! My inside interface.
ntp server 188.8.131.52 ! My Linux time server.
! VERY VERY IMPORTANT! Log everything to syslog!
! IOS 11+
ip tcp path-mtu-discovery
! IOS 11.3+
ip tcp selective-ack
! Secure snmp with a community name other than public or private.
! Add access-list security.
snmp-server community secret RO 21
! Log router events to snmp trap host:
snmp-server enable traps config
snmp-server enable traps frame-relay
snmp-server host 169.254.92.83 secret
access-list 21 permit 169.254.92.83
Secure vty (Telnet) and aux port:
line aux 0
access-class 2 in
transport input all
line vty 0 4
access-class 1 in
password 7 xxxxxxxxxxxxx
! Add access-lists:
! Allow only specific hosts to telnet into router:
access-list 1 permit 169.254.92.39
! Block access to aux.
access-list 2 deny 0.0.0.0 255.255.255.255
Mail report of router log to myself:
Add UNIX cron job:
cat /var/log/messages |grep [routername]|sort +14 -15 |mail -s "Router Access List Log" email@example.com
Cisco Security Overview:
Encrypted Tunnels Are Answer for Remote Management -IW May 17, 1999
Q: What is the most secure way to manage routers and servers when the management traffic must travel across the Internet? A: The two common protocols used for managing equipment on a LAN are telnet and SNMP. Both of these protocols are insecure, because if traffic is intercepted by a sniffer, someone could collect passwords that could then be used to take over management control of the remote equipment. This is essentially what happens to Web servers that are "hacked." In my opinion, remote management should always be done through an encrypted tunnel of some sort. This ensures that passwords and other management information is never sniffable by hackers. Most Internet connections will travel across two shared-media LANs, one at either end. These might be Ethernet, FDDI, or token ring LANs, but in each case the traffic is vulnerable to sniffing because the shared-media technology makes the traffic available to all machines connected to it. Even switched Ethernet is not wholly secure from sniffing.
The Internet backbones themselves are not generally vulnerable to casual sniffing, but exchange-point traffic is vulnerable. In fact, a recently released document pointed out that the National Security Agency (NSA) was intercepting traffic at several major exchange points. Many Internet exchanges use a shared medium, commonly FDDI, in order to allow arbitrary interconnections between network peers. Anyone connected to the FDDI rings at these exchange points can potentially sniff other traffic crossing the exchange.
However, when you use encryption technology with a strong enough key, then you need not worry about sniffing. Unix-based servers can use the Secure IP (IPSEC) standard or the popular SSH technology to set up an encrypted telnet session that doubles as an encrypted tunnel through which FTP and SNMP can be done securely. The data is encrypted before it is placed on your local network connection and is not decrypted until it has arrived at the other end of the encrypted tunnel. Sniffers might be able to capture it, but they won't be able to decrypt it without expensive equipment and lots of time. If you change passwords every month, the information will be useless by the time someone could possibly decrypt your sessions.
With NT servers, you will need a black-box-encrypted virtual private network (VPN). Be careful with Point to Point Tunneling Protocol (PPTP), since the cryptography community believes its encryption technology is fundamentally flawed and not fixable. In any case, you are better off buying black-box equipment that supports IPSEC, because it will allow you to interconnect Unix servers that run IPSEC when your operation scales to the point that it requires Unix servers.
Once the VPN is in place and the encryption is turned on, you can safely use insecure protocols like SNMP and remote control products like VNC and PC Anywhere. In fact, VNC may be used to manage remote NT and Unix servers from any client you choose, including the Palm Pilot.
From Server to Firewall Multiple Layers of Intranet Security -IW April 5, 1999
Q: Is a firewall the only security we need for our intranet?
A: Security requirements vary from one organization to the next, and among an organization's different kinds of content. For most intranets, more than a firewall is needed.
Security is not just about access. It also protects information from accidental or willful alteration or destruction. Most security experts say a security breach is more likely to come from a company's own staff than from outside. These may be disgruntled employees, or those who are after the thrill of breaking the code. Either way, this implies the highest risk is inside the firewall.
In the physical world we have layers of security: A bank has vaults, locks, guards, and alarms, and each covers the weaknesses of the others. Intranets have a similar layered approach. At the center is server security, and content is only as secure as the server on which it is stored.
Most commercial servers include a base level of operating-system and file-system security. Some servers require additional software to control access to server resources and files. These measures are like locks: Only those with keys can gain access.
The next level is software that monitors the OS logs, looking for suspicious activity. When a potential intrusion is detected, the software generates an alert. The response may be automatic, or the systems administrator may have to generate the appropriate response. The history recorded in the server logs can be used to assess damage and plan restorative action.
Alarm systems can be added to network routers to detect or block potential threats. These take the form of filters that scan the IP packets looking for suspicious patterns.
At the network's entrance is the firewall. Firewalls have controls requiring the proper keys, and often have filters that scan incoming packets. They may have a proxy server that hides the real IP addresses of users requesting resources outside the firewall.
Finally, software, run outside the firewall, tries all known security tricks of hackers, thus scanning for vulnerability points. The security implementation also should be supplemented with regular process audits by an independent security expert.
Not every server or network segment needs the same security. One of the architectural considerations of an intranet should be the provision of areas where content requiring a high level of security can be placed.
Intrusion Detection Joins Net Security Arsenal -IW March 22, 1999
Passive and active techniques work together to help systems administratorsstay on top of intrusion perils
By Frederick M. Avolio and David M. Piscitello
When mainframes were the mainstay of computing, we encased them in glass houses. Locked doors and security badges were sufficient to secure our computing resources. But computing is now pervasive, and threats to computing resources have multiplied almost beyond comprehension. In a world where the network is more relevant than any single computer, locked doors simply don't do the job.
The security challenge posed by today's computing paradigm is daunting: Business-critical and highly sensitive information, residing on servers with known and exploitable vulnerabilities, is supposed to be accessible from virtually anywhere. We deploy antivirus systems to protect our computers and networks, and firewalls to block unauthorized access from the public Internet-and we hope that our staff are smarter than the attackers.
But while an organization's network vulnerability grows with each increase in the number of access points and network services required, most organizations can't find competent security staff nearly as quickly. New and automated mechanisms are needed to deal with burgeoning network vulnerabilities.
Intrusion detection systems (IDSs) are one such mechanism. The name may conjure images of an omniscient intelligence doing the work of ten or a hundred network and systems managers that tirelessly monitor computers and networks for malicious behaviors and sound an alarm at the first hint of a problem, while holding the hacker at bay or tracking him down across the Internet. But reality falls somewhat short of this.
Today's IDSs are neither as sophisticated nor as infallible as we'd wish-they're not psychic, so they can't discern bad intent or motive. They are, nonetheless, useful and effective additions to security defenses, and they are being used by small and large enterprises today. According to industry estimates, the market for intrusion detection products grew from $40 million in 1997 (Yankee Group) to $100 million in 1998 (Aberdeen Group).
TO SCAN OR MONITOR?
There are two types of IDS systems: scanners and monitors, both of which can be deployed on networks or on individual computers. Scanners are static analysis tools that we might call vulnerability checkers: They look for known problems-things like bad passwords, missing security patches, and weak configurations (such as a desktop machine that allows anyone to mount and read its C: drive). Scanners can also check to see whether important files have been removed or modified, and can warn of vandalism or systems administration errors. Monitors, in contrast, are dynamic analysis tools that watch for attacks in progress.
Scanners are used periodically, checking important servers, firewall machines, or any computer on a network. Network scanners check network services offered by individual computers on a network. Some also check for changes in security state, access controls, and passwords.
System scanners take a cryptographic snapshot of a system, so they can later tell if important files-system configuration files, system programs, even Web pages-have been modified. Some are set up simply to sound an alarm; others can also replace changed files with "good" cached copies.
Tripwire Security Systems' Tripwire, BindView Development's HackerShield, and WebTrends' Security Analyzer are among the growing number of vulnerability checkers available today, with support for different Unix systems as well as Windows NT. Among those that do network vulnerability checking are Axent's NetRecon.
Vulnerability checkers "can help reduce the huge amount of security audit trails and logs into useful information, allowing administrators to fine-tune systems," said Pete Cafarchio, program manager of the Intrusion Detection Systems Consortium at the International Computer Security Association (ICSA). "They help spot system configuration errors that have security implications, and are used to monitor the integrity of other key security servers, like firewalls. It's very common for us to hear of people who discover some major security holes that they never knew existed within the first 30 minutes after installing an IDS." Bill Tillery of National Bank of Alaska uses BindView's NOSadmin clients for both Windows NT and Novell. "With this tool," he said, "we're able to automate manual tasks that are otherwise quite time-intensive. We now have more information to work with, and it's more accurate." Dynamic analysis systems are also known as "threat monitors." They examine events as they are happening. There are two types of threat monitors: Anomaly detectors ask "What is unusual here?" and misuse detectors ask "What is bad here?" Examples of anomaly detection outside the computer world can be found in the credit card industry. If you've never charged thousands of dollars in one purchase on a charge card, try charging $2,500 in one store, then charge $5,000 elsewhere an hour later. It's likely the credit card verification system will advise the store to ask you for identification.
An anomaly detector is told, or actively "learns," what normal behavior is-for an individual, a system, or a network-and takes action when some event falls outside of some normal range. They let us know when something is fishy. People can be trained to do anomaly detection very well. It's very difficult to do by computer.
Much research has been done in the area of anomaly detection, but only very simple anomaly detection systems are in use today. Disk usage growth or shrinkage outside of a certain rate per minute can be tagged as an anomaly.
Individual user activities outside of normal use hours or connections to the network that are not from the user's usual machines are easily flagged as anomalous behavior. Sophisticated systems-where, for example, an individual's typing patterns or network use patterns are learned-are not here yet.
The other kind of dynamic analysis is misuse detection, which searches for codifiable patterns of behavior. There are two types of misuse detection systems. For the first type, we make a list of things that should not happen, and then the IDS watches for these events. "What should not happen" is based directly on the network security policy. For example, if the security policy says only HTTP, FTP, and SMTP are permitted from the Internet through the firewall, a misuse system watches for other types of packets from the firewall. This is difficult for an attacker to fool.
The second type of misuse detection system is also called an attack signature recognition system. Misuse or attack signatures are first codified, then a data source-a network telemetry system or an operating system audit log-is monitored for patterns of attack. A user-level process that starts up and acquires system or "root" privileges without executing the "su" (set user) command is an example of a simple misuse signature on a Unix system. NetProwler (Axent) and Anzen Flight Jacket for NFR (Anzen Computing), among others, handle this job at the network level, while CyberCop Server (Network Associates) and Axent's Intruder Alert are two of the products that monitor activity on servers at an enterprise level.
Some vendors are offering suites of products that work together and scan for threats and vulnerabilities on systems and the networks around them.
Examples of this are eNTrax (Centrax Corp.) and SafeSuite (Internet Security Systems).
Intrusion detection systems are already in fairly widespread use today on enterprise networks. Brian Iverson, a security consultant at KPMG Peat Marwick, has helped clients deploy IDSs because "they enhance a client's ability to know what's going on in their network and add capabilities to existing security measures." But he warns that IDSs are not a panacea but a complementing technology. "You can't ever get away from having strong controls on the back end [hosts]." In the future, as with all network security mechanisms, IDSs will have to work in concert with other security systems. Prevention systems, such as firewalls and authentication servers, could change configuration based on input from detection systems, a step known as "adaptive network security" or "active security." No matter how marketing departments label these, prevention, detection, and response systems that work together are within our grasp. Intrusion detection systems are critical to making this happen.
Security Mergers Shift Product Lines -IW January 4, 1999
With a growing number of large corporations seeking security products and services from one source, vendors are striving to meet that demand.
In many cases, vendors will be offering products in 1999 that are the result of technologies acquired last year.
For example, Network Associates acquired Dr. Solomon's for its virus detection software, Security Networks Inc. for its vulnerability assessment products, and Trusted Information Systems for its firewalls.
Meanwhile, Axent merged with Raptor, another firewall vendor, and strengthened its professional services group by acquiring Secure Network Consulting.
Other companies to watch include VeriSign, which joined the professional services group bandwagon when it picked up SecureIT of Atlanta, and Security Dynamics, which acquired Intrusion Detection Inc. to enter the vulnerability and scanning sector.
Another likely impact of these mergers and acquisitions will be a split in the market.
On one hand, corporations will work with large vendors that provide a wide range of products and sources. Yet they will be able to turn to speciality vendors that offer a "best-in-class" solution for unique security requirements.
Other security vendors, including large networking vendors and Internet service providers, will be offering products and services for companies that do not have the capability of setting up their own secure networks.
For example, GTE Internetworking has a suite of five security consulting services, including security design and implementation, penetration, and testing.
"Our SecureNet offerings help customers lower network operating costs, effectively manage information and technology risks, and reduce the time it takes to get a secure network up and running," said Adam Lipson, director, professional services, at GTE CyberTrust.
To round out their product offerings, companies are establishing partnerships.
Specialty IS vendors such as Check Point Software and Internet Security Systems are integrating complementary products.
Vendors with a broad IS product line, such as Network Associates, are working with complementary service providers such as Ernst & Young. For example, Ernst & Young will identify unique attacks and vulnerabilities using Network Associates' CyberCop product. The information will become part of an Ernst & Young library that will be shared with customers.
With the rise of electronic commerce, some analysts are also predicting that the greatest growth area for security products will involve public key infrastructures and certificate authorities.
Because many corporations have global operations, many information security managers will be dealing with regulations from a number of political jurisdictions.
For companies and organizations that need consumer data for their operations, this is an important issue. As a result, the complex data privacy laws will require greater attention and will likely drive legal costs higher in 1999 and beyond.
Export regulation for such technology as encryption products is another area likely to be important in 1999.
The struggle continues between the U.S. government, with its desire for stronger export restrictions, and U.S. vendors with their desire for less restriction. So far, the government seems to be winning.
As a result, U.S. firms will need to continue monitoring the type of encryption software used abroad and look for products that will work with any "standard" encryption algorithm allowing for agility in employing export-legal software.
Network Security Companies Offer New Consulting Options -IW May 11, 1998
Two network security companies have announced new education and consulting services to help users properly install and maintain security systems.
Check Point Software Technologies Ltd., the market-leading firewall vendor, last week announced the formation of a new division dedicated to technical support and customer training for use of its security and policy-based network management products. And last month Secure Computing Corp., San Jose, Calif., announced that it will add four new security-related services as well.
Services from Check Point's new division will include consulting, implementation, management, and troubleshooting of its firewall and traffic management products. It has also created the Check Point Emergency Response Force, a team of engineers that will work with customers remotely or on-site to handle critical situations such as hacking incidents or denial-of-service attacks.
Tony Reed, Check Point's vice president for technical services in the company's Redwood City, Calif., U.S. headquarters, said customers had been asking for more support directly from the company for some time.
"Until now, the option of getting support directly from Check Point has not been available to our customers--they've been going to the resellers for support," he said. "Now, we can actually touch the end users directly." As part of the new service offerings, Check Point will also open a technical support call center and a research lab that will be open 24 hours a day to help major clients. Reed said technicians at the lab would try to duplicate the client's conditions to find solutions to problems as they come up.
Secure Computing's four new offerings are assessment services (including internal and external testing and analysis to eliminate security risks), architecture services to recommend security migration and implementation, network services (including product training and installation), and support services geared to meeting more customer-specific needs.
Ted Julian, an analyst with Forrester Research in Cambridge, Mass., said the new offerings are both a natural response to customer needs and a desire to increase the companies' attractiveness to larger potential customers.
"There are deals they won't be able to do without adding these services," he said. "All vendors run into this when they start dealing with large vendors." Julian added that Secure Computing has more of a legacy in offering consulting services than Check Point.
firewall FAQ V-ONE Electronic Security University
Introduction to TCPIP
Introduction to Unix System Administration
Falling Victim To Smurf Attacks -IW April 20, 1998
Q: I have discovered that our network is being blocked from communicating with a number of other networks. At first I thought we had been placed on the Realtime Blackhole List (RBL) because someone on our network had been relaying spam. But I checked the RBL and we aren't on it.
A: It's quite possible that you have run into a different sort of exploitation. As you mentioned, if your network's mail servers are misconfigured, spammers can use them to blast out multiple copies of e-mail messages much faster than they could over a dial-up modem link. As a result, many network operators will block all traffic from a network that harbors these misconfigured mail servers.
But now there is another type of exploitation that can cause you to be cut off from sections of the Internet: a program called smurf. Widely available to hackers, smurf programs are used as attack weapons in denial-of-service (DoS) attacks. The goal of a DoS attack is to spew so many garbage packets at the victim's network that the victim's Internet connection is totally unusable.
Hackers can do this in many different ways, but the easiest is to mount a DoS attack from a network that has a greater Internet connection than the victim's. If the victim is on a dial-up line, an attack mounted from a T-1-connected network (1.54 Mbps) can completely flood the victim's link. So if you wanted to flood a company with, say, a T-1 or a 10-Mbps Ethernet connection, then you would need to launch your attack from a network with greater bandwidth than a T-1 or 10 Mbps. In these cases, it would suffice to mount two simultaneous attacks from T-1 or 10-Mbps connections, or you could use a DS-3-connected network (45 Mbps).
Fortunately, most attackers do not have access to this kind of bandwidth. But that's where the smurf program comes in handy. Using smurf, hackers send ping packets to the broadcast address on a network using Ethernet, FDDI, or Token Ring protocols. When such a network receives a ping directed at its broadcast address, every device on that network sends back a reply. The network could be someone's corporate LAN, or a Web server farm, or an ISP's modem pool. The end result is that for one incoming packet, several outgoing packets are produced, vastly amplifying the volume of traffic. It is not unusual for an Ethernet segment to have 100 devices on it, which would mean that someone sending a smurf attack from an ISDN line could generate roughly four T-1s' worth of attack traffic.
Now, ping replies normally go back to the origin of the ping packet, but a smurf program will generate packets using the victim's own IP address, so all replies are routed to the victim rather than to the attacker. In this way, a smurf attack can generate so much garbage traffic that the victim's usable connectivity is lost, thus making it difficult to identify the real source of the attack.
Some network providers will examine these attack streams to discover where the amplifier network is and will then block all data exchange with that amplifier network. The side effect is that even legitimate traffic from your network is blocked. Luckily, it is possible to configure your router, as documented in RFC 2267, so that your network cannot be abused as an attack amplifier or be used to originate such an attack.
In addition, Craig Huegen of Quadrunner Communications has published a Web page explaining how you can avoid being an attack amplifier.
Harker's sendmail References Page
...is a real mine of information concerning sendmail and related topics packed with tutorials and help (even for /etc/sendmail.cf).
Sendmail with POP3 v2.0 for Windows NT
The metainfo sendmail has a buit-in POP3 server and an HTML interface for administration. The sendmail part is based on version 8.8.4.
A (Smoother) Engine Powers Network Email
- Installation and Operations Guide
- Sendmail--An Internetwork Mail Router
- Mail System and Addressing in 4.2BSD
- New Sendmail Configuration Files
- Sample configuration files:
Sendmail book Home Page
Frequently Asked Questions
UnixWorld Online: Tutorial: Sendmail V8
"You can't read too much tutorial material..." Very true. But this one is a very good start and explains the rewriting rules in a way that even I (almost) understood them.
Sendmail Home Page
The bat page. Many useful links to many useful sites and email addresses for kudos (no?), questions and bugs.
Sendmail Inc. is the commercial distribution channel for sendmail which offers a 'Pro' version and support.
Windmail is an implementation of sendmail for Windows 95+ and NT and works in very much the same way.
Exploiting sendmail! by -- Ian Goldberg and David Wagner.
A first Guide for e-mail installation by Claus AŖmann
Internet Mail Consortium
Muy Cool Sendmail Resources
Ratatosk - TkRat -- mailer
A Beginner's Guide to Effective Email
Electronic Mail in Russian
Accessing the Internet by E-MAIL
PCSLink Traceroute -- you can traceroot you location
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: May 16, 1997; Last modified: September 12, 2017