Security - We will get there

I have a client running a Linux box with OpenVPN for a while. It passes through my enterprise firewall to get into their own isolated environment. After the upgrade of the firewall last week, the client started to complain they lost the vpn access and my colleague started to look into it.

It took a while for my colleague to go through whole bunch of tests but could not find out why the traffic was broken after established by the firewall. I mentioned the app layer inspection factor of the firewall could be the cause and soon it was resolved.

The client is using port 80 for the SSL VPN traffic which they should not. It tends out to be the firewall is evaluating the traffic more deeply than before after the upgrade as firewall thought it's clear text http traffic. It uses a technology called protocol agent to associate the protocol with evaluation service. By took away the protocol agent, my client's SSL VPN worked again.

In this case, both sides should not be blamed actually. But as a precautions thought, do not run SSL VPN through port 80. Especially more and more firewalls are trying to do more high layer inspection nowadays.

From Firefox 2:

Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there's also an option to check the sites you browse to against an online service for more up-to-date protection. This enhanced capability, and other Phishing Protection settings, can be configured in Firefox's Security settings.

When sites are checked against a local list in default mode, no information is sent to Mozilla or anti-phishing partners. When sites are checked against remote services, the Web site address is sent over a secure SSL connection.

It's great you now have it built into the browser and I like it more because it's very clear you can turn it off completely if you don't want it. And noticed the communication between you and the anti phishing servers is encrypted as well.
The other interesting security statement from Firefox 2 is :

Open Source, More Secure

At the heart of Firefox is an open source development process driven by thousands of passionate, experienced developers and security experts spread all over the world. Our openness and active community of experts helps to ensure our products are more secure and updated quickly, while also enabling us to take advantage of the best third party security scanning and evaluation tools to further bolster overall security.

This is one of the reasons always behind me for my open source security mindset which has www.opensourcesecurity.org as the major community site.

This idea is from the snort.org web site for invisible tap. Basically with a 24 port patch pannel, you can have 6 100M full duplex taps right from it. Each tap will use 4 ports, two ports for host connection and the other two for tap purpose. For example, I have port 1 and 4 for host and 2,3 for tap. I use 4 wires to connect the following 4 pin groups:

1. pin 1 of port 1, pin 3 of port 2 and pin 1 of port 4
2. pin 2 of port 1, pin 6 of port 2 and pin 2 of port 4
3. pin 3 of port 1, pin 3 of port 3 and pin 3 of port 4
4. pin 6 of port 1, pin 6 of port 3 and pin 6 of port 4

After that, you can get traffic from port 2 and port 3, one for sending and one for receiving traffic. Then you can use interface bonding to setup a virtual interface to capture the full duplex 100Mbps traffic. Cool!

Just dived into the hot VoIP technology a while ago. Started with the adapters, asterisk and now integration for those cool stuff.

VBuzzer provides a very inexpensive DID service in Toronto area(although not free as some other lucky guys). It's sip compatible but only vBuzzer software is officially supported. My goal is to setup my home asterisk box to work with vBuzzer. Here is my journey.

First I found this great post at http://www.voip-info.org/wiki/view/Asterisk+settings+vBuzzer, set it up and test it. Outbound is working but not inbound.

Searched again and found a lot of people are complaining the inbound issue when using adapters or asterisk. Hmmm, let me try.

After a lot of sniff data, firewall tuning and config change etc. I had my vBuzzer service working properly with my asterisk box. It's been up and running for more than two weeks now so I would like to share this with my readers.

1. sip.conf: make sure externip,localnet and fromdomain are setup properly. For example:
   externip=www.jlisbz.com
   localnet=192.168.0.0/255.255.255.0
   fromdomain=www.jlisbz.com:5060
2. rtp.conf: make sure rtpstart and rtpend are in a smaller range for your firewall so you can forward them to your asterisk box. For example:
   rtpstart=10000
   rtpend=11000
3. You firewall needs to allow and forward UDP 5060(SIP) and UDP rtpstart-rtpend (RTP) into your asterisk box
4. In registry string and peer setup, DO NOT use vbuzzer.com as the host, please use 209.47.41.48 instead. This is very very important as you will not get SIP invite for inbound signaling from vBuzzer servers if you don't use .48. I don't know why they set it up that way but just happen to find that after couple of sniffing.

You should be able to get inbound call now. Sometimes it will take a short while for it to be effective, but should be less than 5 minutes in my experience. I saw someone posted that you need to wait for more than hours to get the inbound call. Maybe they didn't set the host ip properly.

I just got email back from vBuzzer support that told me "Please understand our dedication to provide low prices for calling services does not allow such support now and in near future". But guess what. I can be a volunteer for their support now. :-)

This provides me the SSH remote control capability from anywhere within a browser.

The product I chose is MindTerm

As I keep monitoring couple of security lists so I noticed last week spamassassin, one of the software used in qmailtoaster package for defending spam has vulnerability which could be exploited by attackers to execute arbitrary commands. As I use qmailtoaster for my email server so I decided to upgrade it to 3.1.3. Then I emailed the source RPM to both Mr. Nick Hemmesch and Mr. Erik A. Espinoza

It's a small thing but both of them are so kind to give me the credit for this upgrade. Thanks, guys.

Microsoft used to think it will be secure if you take care of personal firewall,auto update and anti virus. :-) So they have these three categories in their security center. Microsoft can now provide personal firewall and auto update built into the windows distribution and left the space a little bit for those anti virus vendors. Microsoft also provide anti spyware tool which is now called "Windows Defender". The newer formal release of Windows Defender is to come but the beta version shows some comfort for me. It's basically the old anti spyware plus a software explorer. The software explorer can show Startup programs, Currently running programs, Network-connected programs and Winsock service providers. It's handy to put them together and you can remove/disable the unwanted items or end processes.

When I did my check with Windows Denfender, I noticed the VNC program is still listenning over port 5800 and 5900 from the Network-connected programs category. I thought it shouldn't be there as I always turn off the little TightVNC icon show up in system tray. So I launched the service manager and found the VNC service was there up and running. I had run a VA scanner against this pc before but didn't find these ports as my windows firewall silently dropped the incoming request. But there will be problem definitely if I happen to turn the firewall off. So I turned it off and disabled the service to make sure it will no longer startup by itself. This is a good example that a handy tool can help you busy techies.

Overall, it's nice to have Windows Defender. Plus the three categories in security center, you should have pretty good coverage for Windows XP security.

The online contact database service from www.plaxo.com is great to help me keep sync with my contact in Exchange/Outlook and Thundbird. Once you setup an account, you can install a plugin into outlook and thundbird so any change you have will be synced through the web based service.

But you need to take extra precaution when you re-install your outlook. I once have plaxo just created all the entries in the online database into the outlook/exchange database when I re-installed outlook client. All the contact items just doubled to two exactly same items. As I don't want to pay the premium service just to fix this kind of duplicates so I had to go through around two hundred items to remove the redudant one. I like redudant often as I design my network but not this kind. :-) After that, I deleted the contacts folder in plaxo web site and re-sync again.

So when you re-install outlook which will retrieve contact from exchange server, just delete the contact/calendar etc in the web site first, then you can install the plaxo plugin, sync up to the web server.

Or you can delete all contact/calendar etc in your exchange server first, then install plugin to pull data from the web server.

As a good practice, it's always good to backup data using export from plaxo web site.

It's a great tool to dissect your traffic type. You can use it to analyze traffic pattern into your site when you put it outside of your firewall, or you can use it to analyze your user behavior when install on your user segment. It detects host os properly.The report is very detail including active sessions, their latency etc etc.

One of the active sessions:

This test is done on a Dell 750 server with P4 2.8G, 512M RAM and 80G SATA HD.

But when the network is busy, NTOP will eat up memory very fast. For example, it used up about 300M memory when "85.0 MB [324,151 Pkts]" passed it's horizon, about 700M memory after "203.6 MB [691,806 Pkts]" passed. The good news is that memory usage will slow down when reach to some point. And it's around 800M after "504.3 MB [1,624,032 Pkts]", it's now 1.1G after "1.1 GB [3,821,462 Pkts]".

I checked with www.ntop.org, it says the memory requirement "In general it ranges from a few MB (little LAN) to 100 MB for a WAN." Why on my machine the memory usage kept rising? Something is not right. Probably it's because I am using NST bundled NTOP. Need to find out.

The data files only occupy couple of mega byte.

According to man page, "-x -X ntop creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use." and " -c --sticky-hosts Use this parameter to prevent idle hosts from being purged from memory." In the current conf file, there is no sticky and no -x or -X.

Tried to use both -x 1000000 and -X 1000000 in ntop, will see the result soon.

This afternoon I noticed that one of my virtual PCs could not connect to Internet. At first I though it could be the buggy Microsoft Virtual PC software/WinXP so I restarted the whole thing include the host OS as I have not restart it for a long while. It didn't work! As I have access to all firewalls/switches for security admin purpose, I decided to give it a shot.

Soon I found out from one of the firewall arp table the mac for the ip of my  virtual pc was not the one it should be. Checked DHCP server but didn't find anything wrong and my virtual pc was getting that ip perfectly fine. Someone was using static ip in the DHCP range, Again! It didn't take too much time to find out Tony who realized the issue right away but here is his explanation. He started workstation in the morning but found he could not get anywhere. Restarted couple of times and changed his ip eventually to the ip next to the one assigned by DHCP. Another static ip in DHCP range! So I asked him to release and wait for my furthur instruction. Then I worked with my network engineer to find out who used this ip. Soon another workstation was found out and disconnected. I asked Tony to renew his ip and made sure he was happy to do his work. Then I got my virtual pc connected.

Now problem resolved. I sent out a email to my team to remind DHCP discipline. It's lucky that not too many users get affected today but it may end up a big chaos if more people get affected, setup static ip, then affected even more people.

So policy come in as a vital player, user education etc etc.

This can be restricted in varieties of ways if in a environment require higher security.