Free and Commercial Firewall Analysis Tools

Q:Hello,

Do we have a tool for analyzing Cisco ASA/PIX and router config files? The client has a 2500 line config, and I would like to be able run some reports on the configuration.

Thanks,

A:,

There are several audit tools with different features. The most common features in these tools are:

• Rule Analysis to detect security holes in the configuration (e.g. allow any)
• Configuration Analysis to find duplicate/overlapping unnecessary setting/rules/object
• Logfile analysis to find most used rules objects
• Rulebase analysis to find unused/unconsolidated objects rules
• Simulation of changes.
• Risk Analysis
• Access Analysis using multiple firewall rules (Can Point A reach at Point B using service C)
• Workflow automation
• Backup management
• Normalization of different firewall rules (e.g. Cisco Juniper Check Point on the same format)
• Change Management
• Regular Log Analysis

Of course, it is not possible to find all features on all solutions. Firewall vendors do also provide several tools to make audits easy.

That being said, I have seen 2 freeware config audit tools for Cisco (RAT and Nipper)
http://www.titania.co.uk/ Nipper
http://ncat.sourceforge.net/ RAT

Commercial Area is more active and they usually cover the known suspects (Check Point, Juniper, Cisco, Fortinet):

http://www.tufin.com SecureTrack, SecureChange Workflow
http://www.algosec.com Firewall Analyzer, FireFlow
http://www.securepassage.com Firemon
http://www.manageengine.com Firewall Log Analyzer
http://www.skyboxsecurity.com/ CertiFire, Firewall Analysis
http://www.redseal.net/ Redseal Vulnerability Advisor
http://www.athenasecurity.net FirePac, Verify

Let me know if you have a specific question.
cheers,
- yinal

HIPS and VPN Concentrator Network Deployment

Q: How decide the placement of Host Based Intrusion prevention System & VPN Concentrator

What is criteria to decide the placement of HIPS and VPN Concentrator.

A: Hi XXXXX,

Your question generated more questions than answers : )

Here is how I think on where host based IPS should be:

• HIPS should be installed on hosts which need IPS (based on risk assessment).
•  HIPS should not be installed on hosts where installing a 3^rd party agent may decrease the reliability of the services on the host system
• HIPS should not be installed on hosts where installing a 3^rd party agent may slow down the speed of the host system due to extra resource utilization, added latency etc.
• HIPS should be installed when it is possible to manage HIPS. In large scale deployments remote installation, central management etc are usually more important than security.

Here are the important points of VPN Concentrator placement:

• It is recommended that your VPN concentrator has trusted and untrusted segments (It is also possible to deploy one-arm single interface deployments – but for management and audit I do recommend 2 segments – where untrusted segment is Internet facing
• Untrusted segment should be protected by a firewall  (usually in a dedicated DMZ) even if all VPN vendors claim to be very secure. Make sure that the firewall protecting your VPN supports IPSEC pass through (if you are using IPSEC).
•  Instead of hooking the trusted (Internal) segment into your (internal) networks, connect your trusted segment back to the firewall so that decrypted traffic is firewalled. If you have an IPS make sure that IDS/IPS is inspecting decrypted traffic.
• Make sure that you have a dedicated management network to manage the VPN concentrator. If you do not have an extra management interface, use trusted interface for management. Do not allow management over untrusted interface.
•  Do not deploy NAT before the VPN traffic hits your concentrator,  try to use real public IP address (es)  on the untrusted /public  side of your concentrator   since using private addresses may create configuration nightmares
• Check destination networks for VPN clients / or remote VPN sites on your network. Analyze the protocols. Sometimes based on the nature of the traffic (e.g. complex VOIP)  you may need to hook your concentrator directly into your network.  Always check reverse routing for VPN networks.
• Verify IP addressing assignments for VPN clients, choose a subnet that will not create internal routing problems (e.g. overlapping IP address space. Dynamic routing etc). If you are dealing with site to site VPNs make sure that you address overlapping IP address spaces.
• Check the location of authentication servers. The placement of the concentrator must be is close/redundant proximity to authentication servers (AD, RADIUS, TACACS, LDAP etc). Make sure that the communication with auth servers is not a n issue
• Verify multiple entry points, if you are deploying concentrators in HA, make sure that failover works properly, and NAT issues, IP address assignments for different concentrators  are configured properly. Also make sure that your access logs can be unified.

Let me know if you have a specific question,

Cheers,
- yinal

Why did Symantec buy Verisign's security business ?

Q: Why did Symantec buy Verisign's security business ?
A 3.5 revenue multiple for a revenue stream comprising largely of a commoditized business (SSL) begs for a strong rationale that goes beyond pure top line growth for this acquistion. Would love to hear of use cases that this will enable that will result in new products/offers from this combined entity.

A: Here are quick comments:
1- Symantec will have direct access to almost all major enterprise accounts using Verisign's SSL certificate relationship. there are a lot of cross-sell opportunities for Symantec such as securing server 2 server communication. On the retail side Symantec can cross sell Norton line at Verisign's high-volume SSL online store

2- Last year Verisign asold MSS (to Secureworks) and security consulting (to AT&T) units, these were the overlapping units for Symantec. The security products that Symantec acquired from Verisign do not have an overlap with Symantec's existing portfolio.

3- Related with the note above, Symantec could not provide full identity management solutions. With Verisign acqusition (SSL certificates, Trust Seal, PKI, VIP ) they will fill-in a big gap. This creates a nice go-to-market plan. e.g. Hosted PKI, Norton Identity Safe etc..

4- All cloud based / remote management solutions (e.g. HEP from Symantec) rely on certificates, Verisign acquisition will play a strong role for Symantec's cloud strategy. Identity security is a key block in delivering cloud based solutions for data security and compliance.

5- Check-out PGP and GuardianEdge acquisitions. They will all integrate well with Vontu line when Verisign's solutions are added to the mix..Verisign complements encryption really well. Re-evaluate data at rest, data in transit and data in use terms : )

6- Verisign has a good brand name, Symantec can definitely leverage the Verisign name

7- The value of the deal can be multiplied if Symantec manages to integrate security solutions (inlcuding this Verisign Portfolio) with its Veritas, Altiris, MSS, and Hosted Security (MessageLabs) lines.

Let me know if you have a specific question,

regards,
- yinal ozkan
 (on personal behalf)

DLP as a Service: What's the business case for this?

Question:

DLP as a Service: What's the business case for this?

Answer:
Xxxxxx,
DLP can leverage all the advantages of service-alization on legacy information systems.
If we define service a standard offering delivered by a service provider, business case (of DLP as a service versus technology solution) can be summarized as:
1- Leveraging economies of scale with utilizing shared resources at service provider
2- Leveraging deep-dive technical specialization at service provider since service provider can effort dedicated specialists (not because they are more intelligent). Levering know-how gained from managing multiple customers.
3- Measurements and metrics program guaranteed by service level agreements
4- Ability to scale up/down easily, more reliability and redundancy on the provider side.
5- The old capex vs opex discussion
6- No operational worries (e.g. who will patch my appliance) / focus on core business goals, competitiveness
7- Pay as you go elastic service.

But if you look at DLP specific cases, the answers could be categorized in many different buckets. (this might be different for different organizations). We believe that a DLP program must include
• DLP program management (GRC, Policies , Procedures)
• Endpoint enforcement components,
• Secure remote access components,
• Data classification & governance components,
• Encryption components
• Rights management components.
• Training and user awareness component
• Incident management component
• Central monitoring , Access Control, RBCA the usual InfoSec components

This can all be offered as a hybrid service of people, process, technology and managed services. Usually an important component of DLP program is the network based DLP gateway solutions. A managed offering for network level DLP gateway may offer
1- Ability to get a clean pipe from service provider (e..g prevention in the cloud)
2- Ability to leverage a wide set of solutions for the recognition of different data types / file formats since service provider is developing the service for other customers
3- Ability get experts for custom scripting (yes you will need this)
4- Transparent deployment
5- Correlation of events with other network activities (e.g. IPS, Anomaly Detection, Content security solutions, Firewalls, AV etc)


Type rest of the post here

Open Source IDS/IPS

Question : Are there an open source IDS or Firewall which alert the command center or system administrator by pager, e-mail or cell phone when an event listed on the company’s security event list is triggered?

Answer:
Xxxxxxxxxx,
The answer will be based on the company’s security event list. The first prerequisite is that you need to find an opensource IDS or Firewall that can detect security events in the list. Detection success rate will be based on the complexity of the security events in your list.

Firewalls are usually not very good in malicious activity detection so IDS/IPS is a better idea. Snort is a good start (http://www.snort.org/) . It is opensource and it allows you to configure your custom detection signature and rules.

Alerting is simple, you can configure Snort to alert via e-mail E-mail messages can be converted to SMS and pager messages easily. (you may need to pay for SMS messages depending on the destination and or geographic location)

For IDS/IPS deployment you have to be careful. You might be receiving millions of alerts so forwarding them as a message might not be the best good idea. You need to tune your IDS to report real incidents only (e.g. you may have detected 1 million identical events but all you need is to know what the incident is when it started and what is the frequency). Also remember that Snort will only inspect cleartext traffic in day1 unless you are decrypting the encrypted traffic.

Another approach is to use a Security Information Event Management Solution in addition to the IDS. Forward all Snort alerts and other alerts (e.g. Windows logs, Syslog) to your SIEM tool and make sure that the SIEM consolidates normalizes and correlates the alerts for you, so that you receive the ultimate information from SIEM instead of IDS tools. There are opensource SIEM tools like OSSIM (http://sourceforge.net/projects/os-sim/) and Cyberoam iView (http://sourceforge.net/projects/cyberoam-iview/files/)

Let me know if you have a specific question,

Cheers,
- yinal