After years Microsoft finally release an update for its sniffer: Network Monitor (aka NetMon) 3.0.

As already said at beta 2 time, this new major release (build 3.0.372) doesn't have limitations network professionals use to damn in 2.x versions: it works in promiscous mode and is released as stand alone package. And it's free of charge.

Plus NetMon 3 introduces several improvements:

• Real time capture and display of frames


• Simultaneous capture on multiple network adapters


• Multiple simultaneous capture sessions


• Network conversations and a tree view displaying frames by conversation


• Enhanced capture/display filtering (with boolean expressions and intelli-sense)


• A new script-based protocol parser language (NPL), and script-based parsers


• Scriptable execution (and packets capture) through NMcap command line tool

The new filtering system is pretty flexible and allows to write filters in similar you do with Wireshark (formerly Ethereal).
For example filtering HTTP traffic reaching or departing from IP address 192.168.0.1 can be written:

• ip.addr==192.168.0.1 and http (Wireshark)


• ipv4.Address==192.168.0.1 && protocol.HTTP (NetMon)

Filters can be written on multiple lines and comments are allowed, permitting to write complex analysis on packets in an easy way.

Download it here (it's unclead why Microsoft is still hosting it on Connect instead of Download website).
Check the development team blog here.

Italy, my country, is the first european state to adopt Microsoft Child Exploitation Tracking System (CETS), launched in 2005 and offered for free to worldwide governments.

CETS will be used by our police department dedicated to online crimes, the Polizia Postale e delle Comunicazioni.

CETS offers a national repository, powered by Microsoft SharePoint and SQL Server, where investigators can register suspected online identities, upload child exploitations images, link suspicious web sites, store seized emails, etc.
It then syncronizes informations with other national databases in adhering countries.

Efficacy of the tool is actually limited because apart Italy only Canada and Indonesia are using it.
US, Japan and Australia are evaluating CETS adoption, but until more countries will share informations on the system there are few chances to improve tracking capabilities.

It also worth to consider that masquerading an online identity is not too complex and these sexual criminals are used to computer technologies. Their level of know-how is surely improving fast, to adapt new countermisures and tools like CETS could be useless in few years.


Right in these days Microsoft is expanding its offering for defending children and launched a parental control tool called OneCare Family Safety.

Last issue of MSDN Magazine is dedicated to security.

Among top articles:

• Secure Habits: 8 Simple Rules For Developing More Secure Code (Michael Howard)


• Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach (Shawn Hernan, Scott Lambert, Tomasz Ostwald, Adam Shostack)


• Single Sign-On: A Developer's Introduction To Active Directory Federation Services (Keith Brown)


• Smart Storage: Protect Your Data Via Managed Code And The Windows Vista Smart Card APIs (Dan Griffin)


• Extending SDL: Documenting And Evaluating The Security Guarantees Of Your Apps (Mark Pustilnik)


• SQL Security: New SQL Truncation Attacks And How To Avoid Them (Bala Neerumalla)

Last one seems particularly interesting:

Exploits using SQL injection have drawn a lot of attention for their ability to get through firewalls and intrusion detection systems to compromise your data layers. Whether it's a first-order or second-order injection, if you look at the basic code pattern, it is similar to any other injection issue where you use untrusted data in the construction of a statement. Most developers have started mitigating these vulnerabilities in Web front ends by using parameterized SQL queries in conjunction with stored procedures at the back end, but there are some instances where developers still use dynamically constructed SQL, like in the construction of Data Definition Language (DDL) statements based on user input or for apps written in C/C++.

In this article I will discuss some new ideas that can result in either modifying SQL statements or injecting SQL code even if the code has escaped the delimiting characters. I will start with some best practices for constructing delimited identifiers and SQL literals, and then I'll show you new ways attackers can inject SQL code in order to help you protect your applications...

Read the whole MSDN Magazine November 2006 issue here.

Check Point continues to release new minor updated of its platform on regular basis, not changing the strategy already adopted with previous NG platform and its Feature Packs.

In NGX the company doesn't call new updates Feature Pack anymore but continue to release them every 4 months or so.

In the new R62 there are some interesting changes:

• Integry removing from Media Kit
  Integrity, the endpoint security solution Check Point obtained with ZoneLabs acquisition over 2 years ago, has been removed from package.
  Check Point included it in the R61 package but now already changed its mind, only allowing resellers to distribute it to interested customers.
  
  This is possibly to reduce piracy of the new product, already available in warez circuits.
  If so I don't think it's a very effective countermisure, only slowing down customers evaluation and adoption.



• Support for Windows Server 2003 Service Pack 2
  NGX R62 supports Windows Server 2003 Service Pack 2 even if at the moment of writing the SP2 is not yet released by Microsoft.
  
  While I'm sure Check Point has access to new builds much earlier than other beta tester, I don't remember the company ever supported a new operating system update so early.
  I strongly recommend to not install SP2 on your Windows Server 2003 machines at release time without extended testing for reliability and compatibility with Check Point products.



• Multiple SmartDefense profiles
  Finally customers are able to create several SmartDefense configurations from SmartDashboard and bind them to different gateways in the object database.
  In the same fashion SmartDefense can be disabled on gateway basis.



• Enhanced Log Forwarding
  Depending on your configuration Check Point gateways forward local log entries to the default SmartCenter Server log server, or to additional Log Servers configurated as stand-alone tiers.
  In this process log entries are stored locally, forwarded to the right location, and finally deleted locally.
  
  In the NGX R62 all logs can be forwarded directly, without local storing.
  I don't see this feature particularly safe to use, because it's necessary to evaluate what happens if, during the forwarding, link goes down.

The NGX R62 supports backward compatibility down to NG FP3.
Older installations have to be upgraded to NG AI [R54] and then migrated to NGX R62.


A last note about build version: tracking Check Point platform updates can be very hard because every single component has a different build numering.
NGX R62 has following build numbers for major components:

• VPN-1 (Power / UTM on any OS) - 120


• SmartCenter Server - 021


• SmarConsole - 618000131



• SecurePlatform - 031

This blog's readers know how much I love Symantec. No other company in the security space provides me so much concern like this one.

Symantec spent last years acquiring one after another quite dozen of valid security firms, trying to reach a leadership position thanks to marketshare, not quality of products.
The company has been so successful in acquiring and so unsuccessful in integrating that I usually refer to it with the name of Symantec of Borg.

This strategy never really worked so the company could just maintain a leadership in its own market segment: antivirus.

Unfortunately this segment is going to be saturated by the biggest competitor possiible, Microsoft, which has interest and economical power to offer multiple anti-malware products for free to consumer and business audience if needed. And will eventually do.

In my years of experience I cannot remember meeting a single user, system administrator, security professional, CTO or CIO, not complaining about Symantec core product performances or lack of innovation.

Fearing Microsoft competition and knowing its own weakness, Symantec is now trying to create new (non-existent) markets where it can escape.
So it just launched Security 2.0 (I knew someone sooner or later would have this bad idea).

Its CEO, John Thompson, launched the initiative declaring worms and viruses problems is solved. Or at least this is what InformationWeek reports.

Security 2.0? But if we still are far away to reach a stable 1.0...

The new wave of products forming the Symantec Security 2.0 is incredible:

• Norton Confidential Online Edition
  An anti-phising tool (we are plenty of these tools. All 1.0) able to block keyloggers (something the anti-virus should already do)?
  
  In any case a very poor approach to the problem: if banks want to offer a safe environment to customers could simply send them a USB key filled with VMware Player (free) and a custom Linux distribution (free as well), able to only connect home-banking site. Nothing could be more 2.0 than this.



• Symantec Database Security
  A behavioral host IDS? Thanks, we are working on them since years, still addressing false positives and false negatives issues.



• Symantec Mail Security 8300 Series
  The dear old Brightmail Anti-spam engine in a shining new case? It also features content filtering? Thanks, we do that since 10 years, and WebSense is still leader in this segment.

I prefer to not further comment remaining 2 announcements of this wave: partnership for services with VeriSign (for 2-factors authentication) and Accenture (for risk assessment and management).


If this is Security 2.0 I want to directly skip next major release.

3Sharp published an interesting 37-pages comparison between anti-phishing tools available on the market today.

Not only it's interesting because it provides a useful compendium to the lastest Internet Security Threat Report published by Symantec, but also because it includes some unexpected results, distinguishing between recognition rate (detailing false positives) and blocking rate.

GeoTrust TrustWatch is the most capable in recognition but has 2 big issues: has a 32% rating of false positives and is unable to block any phishing attempt.

Microsoft Phishing Filter included in Internet Explorer 7 Beta 3 is the best in class, able to recognize 89% of threats without false positives, and a 83% capability to block phishing attempts (remaining 6% is only warned) .

The much popular Google Toolbar included in Firefox is only at 4th place, able to recognize without false positives and block only 53% of threats.

The interesting SiteAdvisor, which claimed a 90% worldwide websites coverage before being acquired by McAfee in April, has been included in the comparison even if McAfee clearly states the product doesn't recognize phishing (read comments for more details).
No surprise it was the last one with a mere 3%.


Read the whole report here.


Update: As every report it should read with due aloofness: the study has been committed by Microsoft, 3Sharp founders are former Microsoft employees and the company is mainly skilled on Microsoft technologies.

Symantec released the 10th edition of its much appreciated Internet Security Threat Report.

The very first edition of this report has been published in 2002 by Riptech, a company focused on intrusion detection which Symantec of Borg acquired in these years.

The most recent versions of the report are developed by over 1600 Symantec security analysts, the company claims. While results could be manipulated to justify old and new products, or to discredit competitors like Microsoft (and near the Windows Vista launch Symantec has all interests in doing so), it remains a useful tool for evaluation of attack and vulnerability trends.

The September 2006 edition offers a 120-pages coverage of threat activity between January 1st and June 30th.
Below significant highlights divided in categories.


Attack Trend

• Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all Web browser attacks


• Symantec observed an average of 6,110 DoS attacks per day


• The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total


• The Internet service provider (ISP) sector was the most frequently targeted by DoS attacks


• China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total


• The United States had the highest percentage of bot command-and-control servers with 42%


• Beijing was the city with the most bot-infected computers in the world


• The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total


• The home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks

Vulnerability Trend

• Symantec documented 2,249 new vulnerabilities, up 18% over the second half of 2005. This is the highest number ever recorded for a six-month period


• Web application vulnerabilities made up 69% of all vulnerabilities this period


• Mozilla browsers had the most vulnerabilities, 47, compared to 38 in Microsoft Internet Explorer


• In the first six months of 2006, 80% of vulnerabilities were considered easily exploitable, up from 79%


• Seventy-eight percent of easily exploitable vulnerabilities affected Web applications


• The window of exposure for enterprise vulnerabilities was 28 days


• Internet Explorer had an average window of exposure of nine days, the largest of any Web browser. Apple Safari averaged five days, followed by Opera with two days and Mozilla with one day


• In the first half of 2006, Sun operating systems had the highest average patch development time, with 89 days, followed by Hewlett Packard with 53 days, Apple with 37 days and Microsoft and Red Hat with 13 days

Malicious Code Trend

• Eighteen percent of all distinct malicious code samples detected by Symantec honeypots were new


• Five of the top ten new malicious code families reported were Trojan horse programs


• The most prevalent new malicious code family this period was that of the Polip virus


• Worms made up 38 of the top 50 malicious code samples


• Worms made up 75% of the volume of top 50 malicious code reports


• Symantec documented 6,784 new Win32 viruses and worms


• Bots accounted for 22% of the top 50 malicious code reports, up slightly from the 20% reported in the last period


• Thirty of the top 50 malicious code samples exposed confidential information


• Modular malicious code accounted for 79% of the volume of top 50 malicious code, down from 88% in the second half of 2005

Phishing, Spam and Security Risks

• The Symantec Probe Network detected 157,477 unique phishing messages, an increase of 81%.


• Financial services was the most heavily phished sector, accounting for 84% of phishing activity.


• Spam made up 54% of all monitored email traffic, up from 50% in the last period.


• The most common type of spam detected in the first six months of 2006 was related to health services and products.


• Fifty-eight percent of all spam detected worldwide originated in the United States


• Eight of the top ten reported security risks were adware programs.


• Three of the top ten new security risks are what Symantec calls misleading applications

Two of these results are quite expected but still the most interesting: an average of 28 days for vulnerability exposure, and 54% of mail traffic made by spam.
While I'm well persuaded preventing new threats is impossible at the moment, I wonder why the security industry is failing so miserably in mitigating damage.

I strongly recommend to read the whole Internet Security Threat Report - September 2006.

I already wrote the parental control / Internet filtering security tools are so rare, mentioning free solutions available today on the market and considering possibility Google could release something in this space.

While waiting for Google, I wanted to try what Microsoft is doing at least in the home market with its new Windows Live OneCare Family Safety (I bet parents out there already got confused trying to understand which is the name of the product).

The new solution has just been released in beta and it's offered under the umbrella of Windows Live initiative. So this is just a first look at features, I didn't try to find bugs, test workarounds or evaluate URL database consistency in the product (for a public attack at a beta product you better ask Symantec an help...).


After enrolling for the beta, the very first thing to do is download the OneCare Family Safety (OFS from here) and install it on all home PCs.
Then it's time to go online with a browser and reach the OFS Settings Manager, where I need to add my children accounts and decide how to practice my despotic control over my family (but with so much love):


I don't have children yet but let's imagine I have a 20 years-old son and a little 13 years-old daughter. OFS helps me monitor and protect both of them despite different needs and interaction with Internet they have.

For my brave son I want to allow maximum freedom, but remember him he's still young. So I allow his account to surf the whole Internet without limitations, but enable a warning screen when he reaches porn sites.

For my sweet little daughter I still want maximum protection, so I block all categories except Sexual Education (this is a default setting...I doubt a father would allow such category without being obliged with blackmail).
I also add a custom site to be blocked, MySpace, which I heard being so dangerous in these days.
Finally, I also enable web monitoring so anything my daughter will do, blocked or not, I will know:


Done. At this point I have absolutely nothing else to do: my home computers are protected by the OFS client so nobody can access Internet without logging in with his/her OFS account.
Obviously I installed the client with administrative permissions but my children don't use that Windows account to work on the machine (otherwise could be simple to vanish all my efforts).


The first one to approach the new locked machine is my son.
He logs in the OFS client and launch the browser. As configured is free to surf around but after few minutes his restless curiosity for the world brings him to a well-known porn site.
He receives the expected warning:


which quickly turns to be a very annoying remind because every single popup summoned by the porn site, is considered porn itself, and the warning window appears every 2 seconds.
He'll eventally give up, closing the browser and signing out from OFS client, embracing the hacking career within few months, just to have his free amount of daily obscene action.


It's time for my little daughter to sit in front of screen: she logs in the OFS client, opens the browser and the very first thing she tries to do is reaching last website my son visited, the porn one.
Luckily OFS recognized her and immediately block access:


The very second thing she tries is reaching a wonderful site to meet new friends, which she heard at school: MySpace.
As expected she gets another block but this time she's very committed to reach the site and create a permission request:


Few hours later, from the same computer, or remotely from the office, I will be able to see which sites she tried to visit:


and will be able to see and evaluate her request to reach MySpace:



Leaving the role of severe daddy and going back serious, I can say OneCare Family Safety is a very promising tool, filling a big void in current market offering, but has a couple of isses to be addressed:

• Users management
  The whole system works only if every family member has a Windows Live ID (the former Passport account), which obliges parents to create new mailboxes and provide passwords to children.
  This is a counter-sense considering the amount of malicious spam arriving by email every day.
  It's also very annoying and has could be a pain trying to use very old Passport accounts (I had to create a new one to perform this preview), even if they are supported.



• Speed
  Since all web requests have to be transmitted to Microsoft (or at least seems so) and verified against the defined policy before allowing the user to reach a site, there are moments where the navigation is unacceptablly slow, even on a 4MBits ADSL line.

When the final product will be released we'll see how wide its database will be and how smart the filtering engine will be blocking access to unallowed sites from browser and other applications.

Rainbow Table method works great with Windows password hashing algoritms. But it can be applied to other hashing algorithms, like the ubiquitous MD5.

A new website, Free Rainbow Tables, just started its business and the first offering is a great set of 36 tables for lower alphanumeric strings hashed with MD5, from 1 to 8 characters. For free obviously.

And it's just the beninning since creators developed a Windows distributed application to spend free computation time generating new or extended tables.

This year I'll be present at the italian event SMAU 2006.

I'll attend the October 6th day only, Friday (whole day), and I'd be happy to meet some Security Zero italian readers.
So if you partecipate at the exhibition look for me at the Microsoft booth, along with other Most Valuable Professionals (MVP).

See you there!

Threat Analysis & Modeling is one of that free tools you letting you think Microsoft could do incredible things in security.

Threat modeling is an analysis process aimed to identify characteristics of an application and potential threats they are exposed to.
And, as I already said during beta, this new version perform the task in an impressive way.

Here some of the new features:

• TreeView Navigation with visibility to all nodes at all times


• Wizard based threat model creation


• Default Attack library with descriptive countermeasure guidance


• Automatic Threats and Use Cases generation


• Consolidated Call Flow (System Flow), Attack Surface, Threat Tree are some of the few visualizations available, which can all be exported to Visio


• Exportable Analytics and Reports to HTML


• Import 1.0 Threat Model


• Export countermeasures and attack test cases to Visual Studio Team Foundation Server (TFS)


• Import SDM Deployment Reports from VSTA


• Copy Paste and Drag-&-Drop features


• Enhanced Find Feature

The new wizard is surely the most notable improvement, helping you defining all application aspects, from users to services, from data to components, from business objectives to relevancies, at a very deep level of detail:


Microsoft has also been so smart to create a whole video series to introduce you the tool:

• What is Microsoft Application Threat Modeling


• Creating a Threat Model - Define Application Requirements


• Creating a Threat Model - Define Application Architecture


• Creating a Threat Model - Model


• Creating a Threat Model - Assimilation


• Creating a Threat Model - Measure

Check the development team blog here and obviously download the tool here.


Meanwhile I still wonder if I could have something similar for network security. Microsoft are you listening?

CRN revealed Check Point just lost 2 key persons few days ago:

• Viv Francis, EMEA Channel Manager (moved to Symbol Technologies)


• Niall Moynihan, founder of Check Point UK and Ireland and Africa Country Manager, (moved to Cisco)

The most interesting thing is a sentence from Moynihan:

Moving to Cisco was an easy choice because it has a clear roadmap and vision. Every day I’m seeing more positive developments

I always said Check Point is an undiscussed market leader in firewall segment but it has a very evident chaotic development model.
This statement seems to indirectly confirm my judgement.

The biggest question is: are these key figures leaving before Check Point is acquired (despite denial from its CEO)?

Microsoft released a refreshed management pack for monitoring the new ISA Server 2006 in Operation Manager (MOM) 2005.

Luckily it supports older versions 2000 and 2004.

Download it here.

Many already know some commercial certificate authorities like Thawte (acquired by VeriSign in 2000) already offers free digital certificates.
What not everybody knows is these are client certificates only, which means cannot be installed in a web server for example.

If we are in need of a server digital certificate for lab environment or we plan to use it only inside your company, then we can create a self-signed one.
But if we need a worldwide trusted server certificate we'll have to pay for it.

Unless we turn to CAcert.

CAcert is a no-profit Certificate Authority based in New South Wales, Australia, and running since 2002 which issues client and server X.509 Class 3 digital certificates for free.

Client certificates are typically used for email encryption and/or authentication verification.
Lately they are also used for instant messaging encryption as well. And in the near future will probabily be the most used tool to secure VoIP communications.

Server certificates are instead used for securing and providing authentication verification from a vast range of servers, from web servers to mail servers, up to VPN gateways (where is much safer running a digital certificates peers recognition with IPSec instead of exchanging a secret).
CAcert certificates support all these use and can be used in mail servers to secure all three major protocols: POP3, SMTP and IMAP.

CAcert certs are also usable as so-called code signing certificates, allowing developers to provide identity verification for their installers, Java web applets or .NET framework executables.
Unfortunately (or fortunately) this kind of certificates are not immediately available like standard client and server certificates mentioned above, but requester have to enroll a special process to assure his identity.


The biggest issue with CAcert certificates is they are not recognized out-of-the-box: CAcert is not included among root certificate authorities in Internet Explorer, Firefox and Opera, so everybody interacting with these certs have to import the CAcert certificate inside their operating system.

This situation will eventually change in the future since more and more distributions are providing default support to CAcert.
Among existing ones today we have: CentOS, Debian, FreeBSD, Gentoo, Knoppix. Others will come.

Despite this limitation in many scenarios adopting a CAcert is still better than generating self-signed certificates: providing authentication for several tents or hundreds of servers for example would be unpracticable with self-signed certs, since all of them should be imported in clients.


Another less severe issue with these certificates is they don't contain any personal information immediately after release.

When a new free certificate is issued it contains the only information the certificate authority can easily verify: our email address for client certificates and domain name for server certificates.
If we want CAcert to certify our email address or our domain name are linked to a real person or company identity we have to prove that identity.
This is done involving human verification of real world documents.

Usually called Web of Trust (WoT) CAcert defines it Assurance Program, but the principle behind the process is identical:
some designed persons, assurers, around the world can verify our identity manually checking photo ID documents, and assign us a limited amount of points.

A requester is obliged to let serveral different assurers verify his identity, and he too is called to verify identity of other requesters to reach a certain score.
After reaching the required amount of points our certificate is enhanced and can contain more personal data, including for example company name and address.

Obtain a physical identity verification by assurers is not very easy (at the moment the program counts around 7,000 assurers worldwide) and could cost some money:
while CAcert doesn't charge for the service, sometimes Web of Trust members ask for a small amount of money, for their disturb (this also happens with Thawte).

Anyway it's not mandatory having full details in digital certificates to work with them, but once reached the assured status we overcome some other limitations:

• server certificates expire in 24 months instead of 6 (they are in any case renewable)


• client certificates can be used for code signing

CAcert is not the only free certification authority available on the net.
Startcom, Linux distributor based in Israel, has one existing since less than 2 years, but only issues Class 2 digital certificates.

EMC Corporation (EMC2) is worldwide known as leader in the high-end storage market.

The company acquired several companies, including LEGATO backup solution provider and Rainfinity high-availability solution provider, in the last 5 years from different markets but gained popularity among the masses after acquiring VMware, the leader in server virtualization (if you read my blog virtualization.info you know everything about this story).

After VMware EMC comes back in the security area and buy in rapid succession RSA, leader in token-based authentication, and Network Intelligence, one of the few players in the Security Event Manager (SEM) segment.

Where EMC is going?

At first sight they are building fundamental blocks of security around data they store: availability (Rainfinity), reliability (LEGATO), accessibility (RSA) and auditing (Network Intelligence).
But at the moment there isn't a clear integration plan between acquired technologies. It's evident looking at the announced rearrangement strategy, where RSA maintains its brand name but leads the whole security department, where Network Intelligence becomes a RSA business unit, where no word has been said about destiny of previously acquired security firms.

EMC have to detail how rearrangement will be done exactly and to prove real integration, otherwise will only generate confusion among customers, weakening all brands images and appearing as the new Symantec of Borg.

After talking about enhanced capabilities of Wireshark (formerly Ethereal) and new style of upcoming Microsoft Network Monitor 3, another sniffer is worth to mention: WildPackets OminPeek.

Originally called EtherPeek, OmniPeek offers more than a basic sniffer, with statistical analysis of traffic, advanced protocol decoders and support for hardware capture card (to name a few).
It's a highly appreciated product along with Observer (Network Instruments) and Fluke (Fluke Networks).

Since some time WildPackets offers for free the OminPeek 4.0 Personal Edition.



It has some limitations:

• Able to capture from a single network interface at one time only


• Expert analysis limited to 25 active conversations


• Licensed for use on networks up to 200 nodes only


• No support for matrix switches


• No specialized Gigabit or WAN Analyzer Card support


• No VoIP analysis experts or options

but it's still fully working and is worth a full evaluation.

OminPeek has some clear advantages over Wireshark in statistical analysis (which is updated in real-time, during capture):


while it suffers in filtering capabilities (Wireshark language filtering is unbeatable).
Anyway it can count on a very interesting filtering builder which someone could prefer over Wireshark boolean conditions:


Until Wireshark will not get serious enhancements on traffic analysis, I would consider OmniPeek Personal it's mandatory complement.

Endpoint security could revolutionize corporate security. I say this thing since a couple of years.
But endpoint security effectiveness is flawed by at least 2 big issues:

• it cannot handle machines where no endpoint agents are present


• it lacks of interoperability

This second point is the most important at the moment: actual solutions aren't based on a standard and aren't interoperable by default.

A customer adopting the Check Point endpoint security solution (Total Access Protection or TAP) will not be able to integrate it with Cisco equipement featuring Network Admission Control (NAC) endpoint security implementation.

2 year ago Cisco and Microsoft annouced a cooperation to deliver interoperable endpoint security. But since that announcement nothing happened (also because Microsoft endpoint security solution, Network Access Protection or NAP, will appear not earlier than another year and a half).

Now Cisco and Microsoft are re-announcing their partnership for NAC-NAP interoperability at Security Standard conference.

Again? Yes, but this time they made a little more, producing a 8-pages whitepaper (half marketing half technical), about the interoperability.

The central point of this interoperability is the endpoint security agent, which is currently integrated in Windows XP SP2 (with some limitations) and in Vista and Windows codename Longhorn Server beta builds: the Microsoft NAP agent will serve also as Cisco NAC agent.
Luckily the agent will be updated by online Windows Update service or offline Windows Server Update Services (WSUS).

Meanwhile Cisco will continue to develop its own NAP client (Cisco Trust Agent) for non Microsoft operating systems and possibly for Microsoft OSes prior to Windows Vista.


How customers adopting Check Point TAP or Sygate NAC (now acquired by Symantec of Borg) other endpoint security solutions will be able to integrate on this? Has still to be known.

Obviously this complexity could be addressed creating a standard. The real problem is an attempt to standardize already exists but not all companies are embracing it.

It's called Trusted Network Connect and its first draft appeared in May 2005.
By chance both Check Point and Sygate immediately adhered to it, while others like Juniper, Nortel, StillSecure added or announced support to it this year.

Microsoft announced plans to make its NAP compliant to TNC standards on April 2005 while Cisco didn't.

So while you ask yourself why Cisco is once again preventing to return on your previous investments, you may want to look at a wonderful summary scheme about NAP-NAC-TNC interoperability, created by Opus One:


You may also want to check for further reference a needful terms comparison for all three implementations in the standardization assessment published by IETF in June 2006.

After many years the Microsoft network sniffer, Network Monitor (friendly called NetMon), is coming back.

Network Monitor 2.1 is included as optional component in every Windows NT/2000 installation but has a severe limitation: it cannot put the network interface in promiscuous mode, preventing capture of all packets passing on the cable.
To have a full version of Network Monitor 2.1 you have to buy Microsoft System Management Server (SMS) 1.2 or 2.0.

Upcoming Network Monitor 3 will offer several new features and will finally be an uncapped, free, stand-alone application for Windows XP/2003/Vista/codename Longhorn (both 32 and 64bits):

• Real time capture and display of frames


• Simultaneous capture on multiple network adapters


• Multiple simultaneous capture sessions


• Network conversations and a tree view displaying frames by conversation


• Enhanced capture/display filtering (with intelli-sense)


• A new script-based protocol parser language (NPL), and script-based parsers

The last feature is particularly interesting, permitting network experts to create new protocol decoders or complex packet manipulations in an easy and quick way (in previous releases writing a protocol parser implied writing a DLL).


With NPL (NetMon Parser Language) Microsoft has a big chance to involve the network and security communities around Network Monitor and should arrange a Parsers Center or something like that.

We'll see if it will be able to compete with Wireshark (formerly Ethereal) and its new enhanced features.

Enroll for the beta here and check dedicated beta newsgroup here.

Roger Grimes, fellow CISSP and Microsoft MVP, wrote an article about value of antivirus products.

He reports antivirus tools are unable to recognize and clean a lot of recent malware code. But most of all he firmly claims they are unnecessary to stay uninfected. Pure truth.

Antivirus shouldn't even be called this way. Anti is a term leading to think about proactivity, while antivirus solutions are just virus cleaners. Something to use when you are already infected.

The most important point is Roger never suffered an infection even if he never used an antivirus. Me too, and probably many others.
He never got infected because he blocks source of malware instead of allowing them and then clean damage.

He does what I would call traffic sanitization:

• blocks unwanted traffic using a personal firewall


• blocks unwanted HTML malware converting incoming email in plaintext and (probably) using an ad-blocker in its browser


• blocks unwanted attachments using an antispam tool

Plus he maintains his system in good health, hardening and patching it every time is needed.

It's all the things you need to remain uninfected? It's true the fact he is a high profile security guy doens't help here?
I don't think so. And even if so, I still see many problems in this approach (which is the one I apply too).

For sure Roger knowledge granted him capability to recognize, choose, configure and update security tools mentioned above.
No matter if a less experienced user (his daughter) is then able to run virus-free even without skills. He secured the system at beginning.
It's easy to avoid troubles when every tool is at the right place.

Also, every time a threat bypass security defenses experience becomes the most powerful tool.
In some cases, when surfing or reading emails, there is something strange around and only experienced users are able to recognize the risk they are going to face, even if the malware or the technique is completely new and they never saw it before.

Not every system administrator or home user out there has same skills. But even having them, how much time costs deploying all mentioned tools? Surely 10 times what you would spend configuring and updating an antivirus tool.

Antivirus are useless and should disappear not because other tools exist and defend better, but because the way they try to provide fast and easy protection is fault.
We still need fast and easy protection, but with a different approach.

While still much perfectible, Security Configuration Wizard (SCW). almong with WSUS, is one of the best tool Microsoft ever made in its path towards enterprise security leadership.

I covered it before in Hardening Windows 2003 platforms made easy.

SCW has 2 big limits:

• it doesn't work on all Windows editions


• its roles cannot be updated with Windows Update or WSUS

This second limit obliges Microsoft to release a new version every time a new backend plaftorm is out, but since this process seems pretty time consuming it happens only when a critical product is released.

It's the case of the new ISA Server 2006, for which Microsoft silently published an updated SCW on early August.

It works for both Standard and Enterprise edition and can be downloaded here.

Microsoft published a 37-pages paper about a rarely-treated topic: social engineering.

The large majority of people listening at social engineering examples usually smiles or laughes, thinking about action movies like Mission Impossible or 007 series.
Security professionals aren't much different: in years of security courses I rarely found persons sensible to the topic, or taking it seriously.

The biggest reason for such behaviour is unbelief. People simply don't believe someone is able to threat service desk like it happens on the movies.
Even those security professionals who are aware of social engineering, usually have an inner conviction that there are no real chances an attacker could use social engineering techniques.

This lead to a numer of documents about this topic near to zero.

How to Protect Insiders from Social Engineering Threats, aimed to SMB companies, is interesting because, while very introductory, touches several points, including how to plan a reception hall:

To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker-someone who tries to gain unauthorized access to your computer systems-are similar to those of any other hacker: they want your company's money, information, or IT resources.

A social engineering hacker attempts to persuade your staff to provide information that will enable him or her to use your systems or system resources. Traditionally, this approach is known as a confidence trick. Many midsize and small companies believe that hacker attacks are a problem for large corporations or organizations that offer large financial rewards. Although this may have been the case in the past, the increase in cyber-crime means that hackers now target all sectors of the community, from corporations to individuals. Criminals may steal directly from a company, diverting funds or resources, but they may also use the company as a staging point through which they can perpetrate crimes against others. This approach makes it more difficult for authorities to trace these criminals...

Wireshark, the most popular network analyzer in the world (once known as Ethereal), reached version 0.99.3.

This new release introduces some very interesting feautres:

• support for ESP, Kerberos, and SSL decryption


• support for USB wireless adapters


• firewall rules writing capability

Last 2 of them deserve a detailed explaination.


Support for USB wireless adapters is at the moment limited to a special USB 2.0 dongle CACE Technologies, the company developing Wireshark, is selling online.
It costs $189 which is pretty high if you consider the average price for such gear is $50.

Wireshark is able to put the wireless adapter in monitor mode (the equivalent of promiscous mode in the Ethernet world) thanks to a new packet driver for Windows: AirPcap.

AirPcap is a different project from the universal packet driver originally deleloped by Politecnico di Torino italian university, WinPcap (even if they are fully integrated since new version 4.0 beta 1), and is not included in the standard Wireshark package.

Unfortunately there are no informations about which vendor manifactures the CACE dongle or about AirPcap compatibility with other USB adapters.


Firewall rules writing capability is much more unexpected.

Wireshark is now able to build simple ACL rules for most popular firewalls, including Windows Firewall, starting from any captured package.


The interface is still very raw (it doesn't permit to create multiple rules given a group of selected packets) but the idea in itself is very interesting.

While I don't think at the moment this feature is particularly useful, the immediate translation of the rule in every major rulebase language is particularly appreciated and has a great educative value.

I hope to see support for the new Windows Vista firewall (which finally is able to filter for both inbound and outbound directions) soon.

Check Point wasn't able to acquire SourceFire, but in the end maybe the two companies will be together in any case.

Forbes reported HP is going to massively invest in 2007 and among others a potential target is Check Point.

This could appear as an answer to growing interest of IBM in security companies, which just acquired Internet Security Systems (ISS).

If this acquisition would be confirmed I strongly doubt Check Point would be able to maintain its leadership in firewalls segment: HP could follow IBM path and blend Check Point offering with its customers-oriented services.
Also, HP is not known and trusted as security provider among the large public. Changing the name Check Point VPN-1 in HP VPN-1 would hardly conquer the interest and trust of potential customers.

I would say this can't be worst than being acquired by Symantec of Borg, but I'm not sure.


Update: Globes offers another point of view, suggesting Check Point could be near an acquisition or a merge with another company of the same size. Possibly the Nokia security division, manifacturing since so many years appliances for Check Point VPN-1.


Second update: In an interesting analysis Seeking Alpha reports Check Point's CEO firm intention to not be acquired.

Few Check Point customers remember or even know what Content Vectoring Protocol (CVP) is.

CVP, together with URL Filtering Protocol (UFP), are the foundations of a very old technology embedded in Check Point VPN-1 and generally called Content Security.
Content Security is the first attempt of the company to approach application inspection, security the 3 most critical protocols of the current business-over-Internet: HTTP, FTP and SMTP.

Content Security was already present when Check Point conquered big market shares with its Firewall-1 4.1 (aka 2000), more than 6 years ago, and can be considered the pioneering of modern application inspection. Or, if you prefer, the ancestor of today's Check Point Application Intelligence (AI) / Web Intelligence (WI).

This ancient technology, still present in recent VPN-1 versions, permits administrators to intercept and inspect application traffic by the use of user-mode daemons and vectoring protocols (CVP and UFP exactly).
Depending on required analysis HTTP, FTP and SMTP can be analized on the VPN-1 machine thanks to user-mode daemons, or sent to a 3rd party Security Server through vectoring protocols.

Check Point developed around its Content Security a whole consotium called OPSEC (Open Platform for Security), which permitted partners to develop and integrate new Security Servers with FW-1 through a freely available SDK.

Capabilities of user-mode daemons are very limited and Check Point itself suggests to approach a 3rd party Security Server.

At beginning the amount of partners offering their UFP/CVP-compliant solutions was notable, including biggest security players like Websense, TrendMicro, Symantec, etc.
But several factors concurred to reduce support to the OPSEC program during years and, one after another, put existing solutions out of the market.

First of all was too early: the market was't really ready to embrace application inspection, still being occupied in massively adoption of antivirus and firewalls as first defensive line.
Secondly and mostly performance of UFP/CVP solutions were simply indecent.

The way Content Security works with 3rd party Security Server imposes the inspected application session to travel back and forth through VPN-1 which acts like a proxy:

• Content Security is configured to do antivirus inspection of ongoing traffic with help of a 3rd party antivirus Security Server


• a new FTP session starts from a client on the Internet and wants to reach a protected FTP server


• the client's request of sending a new file triggers Security Server daemon on VPN-1


• the incoming file is intercepted by the user-mode daemon, incapsulated in the CVP and sent to the 3rd party antivirus (meanwhile the FTP session is on hold)


• the 3rd party antivirus checks and possibly disinfects the received file


• the 3rd party antivirus sends back to the firewall the disinfected file through CVP


• the disinfected file is decapsulated from CVP and finally sent to FTP server

This scheme has a lot of problems and the most critical is obviously speed.

Since the born of Content Security a large amount of customers lamented sessions time-out, missing or compromised files, network segments congestions, etc.
And if you consider it works not only with FTP but also with SMTP, you can understand risks in its adoption.

I won't go any further exploring Content Security problems since you can figure out from yourself. I just will say that depending on these performances, few customers in the world adopted the tecnology, avoiding OPSEC partners to return on investment of producing a dedicated UFP/CVP solution.
So, simply, while still existing Content Security cannot be used anymore.

Until today.

Kasperski, which is having a big success these days with the inclusion of its engine in the new AOL offering, just launched a version of its Anti-Virus 5.5 for Check Point VPN-1 (still called Firewall-1, which is a deprecated name), interacting with CVP.

The funny thing is official announcement states:

The advanced scalability of the solution makes it eminently suitable for use in the largest organizations that see heavy traffic loads. The system administrator can choose to run multiple copies of the antivirus engine and multiple CVP servers for processing requests from the firewall to meet peaks in traffic volumes. Moreover, the solution is optimized for use on the Intel Xeon platform.

If you really decide to adopt this solution, pretend a very extensive and assisted pilot on real-world traffic. Otherwise you'll discover Content Security performances too late.

Did you read the free TCP/IP Guide from No Starch Press as I suggested?

If so it's time to approach more directly security topics. And you are lucky.

Wiley authorized the online publishing of the whole 640 pages book: Security Engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson. For free.

Even if this book has been published at beginning of 2001 it's one of the best tome ever published and still represent a fundamental part of every security professional bookshelf.


Thanks to TaoSecurity for the news.