[32036] in North American Network Operators' Group
RE: Security on a home DSL Line
daemon@ATHENA.MIT.EDU (Mathew Butler)
Fri Nov 3 17:29:06 2000
Message-ID: <F062E72E4BA2D4119F1700B0D03D205F396A@MAIL>
From: Mathew Butler <mbutler@tonbu.com>
To: 'Joe Shaw' <jshaw@insync.net>, Rishi Singh <singh@marketxt.com>
Cc: 'Dennis Dayman' <ddayman@mail-abuse.org>,
"'nanog@merit.edu'" <nanog@merit.edu>
Date: Fri, 3 Nov 2000 14:18:54 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C045E4.0D649710"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C045E4.0D649710
Content-Type: text/plain;
charset="iso-8859-1"
Actually, I think it'd be nice if there was an "Expert Settings" mode that
you were told how to get into in the manual... and that only that menu would
be able to set it to ultra-paranoid (i.e., debugging) level.
The default user interface should only be able to set it up to 'mildly
paranoid'.
(Incidentally, there was a roaring discussion about this over on grc.com's
newsgroups, about a month back. Since Steve Gibson configured his
newsserver to archive all messages into the archive.* hierarchy, you
might/should be able to find it all... if you want to spend the time to do
so.)
-Mat Butler
-----Original Message-----
From: Joe Shaw [mailto:jshaw@insync.net]
Sent: Friday, November 03, 2000 2:11 PM
To: Rishi Singh
Cc: 'Dennis Dayman'; 'nanog@merit.edu'
Subject: RE: Security on a home DSL Line
It still doesn't do things like list the source port of the offending
attack. It still reports things like traceroutes as suspicious
activity. It's not so much that BlackIce is a bad product, it's the fact
that most of the users who use it and the other software packages like it
are generally not very clued and will fly off the handle reporting all
sorts of things as attacks or attempts to access their computer. I've
actually spent an entire weekend being paged by our NOC to deal with
someone who had BlackIce, and another program that would e-mail abuse@ for
the IP address it considered to be attacking, in this case what it was
saying was a UDP flood coming from various IP's of equipment we have. One
thing led to another, and it turned out he was being UDP flooded by
streaming media servers (RTSP anyone?), and his automated reporting
facility was mailing these complaints out to the NOC. We had another
person who was screaming bloody murder about being hacked, when he was
tracerouted to twice over a 24 hour period. That hardly counts as an
intrusion.
Generally, if someone is having an issue and all they have to go in is
BlackIce output, we need pretty evident proof that there's an actual
problem. One cool feature is the fact that BlackIce can detect certain
types of traffic, like nmap scans, queso, snmp queries, and the like. But
if all I've got to go on is a 5 packet 'UDP flood,' the source IP, the
destination IP, and the destination port, it gets old quick. Couldn't it
just look at the source port and say "This looks like RTSP," or "This is
only 5 packets, probably not a big deal." It really depends on how
sensitive the person who has it sets it, but I've yet to see anyone who
doesn't set it as high as it will go. A warning that says it might be as
ultra-paranoid as a strung out conspiracy theorist at the highest
settings might not be a bad idea.
I think the last version we looked at was the latest version available in
July/August. We were looking at it to use as a firewalling solution for
our mobile users, but we just couldn't deal with the amount of calls
people would make to us saying they were being scanned by all the local
windows machines on the network while they were in the office, or
countless other issues. We're still looking at other solutions, but few
really have any sort of centralized monitoring/reporting ability.
--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named because I
don't speak for them here. I have public opinions, and they don't.
On Fri, 3 Nov 2000, Rishi Singh wrote:
> That was a very old version of BlackIce Defender you are referring to. I
> know exactly which version you are talking about as I had similar problems
> with it. However NetworkIce seems to be a pretty responsive company when
it
> comes to complaints and I beta test their products for them.
>
> All of the dev/null stuff has been eliminated in the last few releases,
> including erroneous reports and extraneous information. You should try it
> now, I think you will be more impressed than the experiences you had with
> the older version.
------_=_NextPart_001_01C045E4.0D649710
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Security on a home DSL Line</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Actually, I think it'd be nice if there was an =
"Expert Settings" mode that you were told how to get into in =
the manual... and that only that menu would be able to set it to =
ultra-paranoid (i.e., debugging) level.</FONT></P>
<P><FONT SIZE=3D2>The default user interface should only be able to set =
it up to 'mildly paranoid'.</FONT>
</P>
<P><FONT SIZE=3D2>(Incidentally, there was a roaring discussion about =
this over on grc.com's newsgroups, about a month back. Since =
Steve Gibson configured his newsserver to archive all messages into the =
archive.* hierarchy, you might/should be able to find it all... if you =
want to spend the time to do so.)</FONT></P>
<P><FONT SIZE=3D2>-Mat Butler</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Joe Shaw [<A =
HREF=3D"mailto:jshaw@insync.net">mailto:jshaw@insync.net</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Friday, November 03, 2000 2:11 PM</FONT>
<BR><FONT SIZE=3D2>To: Rishi Singh</FONT>
<BR><FONT SIZE=3D2>Cc: 'Dennis Dayman'; 'nanog@merit.edu'</FONT>
<BR><FONT SIZE=3D2>Subject: RE: Security on a home DSL Line</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>It still doesn't do things like list the source port =
of the offending</FONT>
<BR><FONT SIZE=3D2>attack. It still reports things like =
traceroutes as suspicious</FONT>
<BR><FONT SIZE=3D2>activity. It's not so much that BlackIce is a =
bad product, it's the fact</FONT>
<BR><FONT SIZE=3D2>that most of the users who use it and the other =
software packages like it</FONT>
<BR><FONT SIZE=3D2>are generally not very clued and will fly off the =
handle reporting all</FONT>
<BR><FONT SIZE=3D2>sorts of things as attacks or attempts to access =
their computer. I've</FONT>
<BR><FONT SIZE=3D2>actually spent an entire weekend being paged by our =
NOC to deal with</FONT>
<BR><FONT SIZE=3D2>someone who had BlackIce, and another program that =
would e-mail abuse@ for</FONT>
<BR><FONT SIZE=3D2>the IP address it considered to be attacking, in =
this case what it was</FONT>
<BR><FONT SIZE=3D2>saying was a UDP flood coming from various IP's of =
equipment we have. One</FONT>
<BR><FONT SIZE=3D2>thing led to another, and it turned out he was being =
UDP flooded by</FONT>
<BR><FONT SIZE=3D2>streaming media servers (RTSP anyone?), and his =
automated reporting</FONT>
<BR><FONT SIZE=3D2>facility was mailing these complaints out to the =
NOC. We had another</FONT>
<BR><FONT SIZE=3D2>person who was screaming bloody murder about being =
hacked, when he was</FONT>
<BR><FONT SIZE=3D2>tracerouted to twice over a 24 hour period. =
That hardly counts as an</FONT>
<BR><FONT SIZE=3D2>intrusion.</FONT>
</P>
<P><FONT SIZE=3D2>Generally, if someone is having an issue and all they =
have to go in is</FONT>
<BR><FONT SIZE=3D2>BlackIce output, we need pretty evident proof that =
there's an actual</FONT>
<BR><FONT SIZE=3D2>problem. One cool feature is the fact that =
BlackIce can detect certain</FONT>
<BR><FONT SIZE=3D2>types of traffic, like nmap scans, queso, snmp =
queries, and the like. But</FONT>
<BR><FONT SIZE=3D2>if all I've got to go on is a 5 packet 'UDP flood,' =
the source IP, the</FONT>
<BR><FONT SIZE=3D2>destination IP, and the destination port, it gets =
old quick. Couldn't it</FONT>
<BR><FONT SIZE=3D2>just look at the source port and say "This =
looks like RTSP," or "This is</FONT>
<BR><FONT SIZE=3D2>only 5 packets, probably not a big deal." =
It really depends on how</FONT>
<BR><FONT SIZE=3D2>sensitive the person who has it sets it, but I've =
yet to see anyone who</FONT>
<BR><FONT SIZE=3D2>doesn't set it as high as it will go. A =
warning that says it might be as</FONT>
<BR><FONT SIZE=3D2>ultra-paranoid as a strung out conspiracy theorist =
at the highest</FONT>
<BR><FONT SIZE=3D2>settings might not be a bad idea.</FONT>
</P>
<P><FONT SIZE=3D2>I think the last version we looked at was the latest =
version available in</FONT>
<BR><FONT SIZE=3D2>July/August. We were looking at it to use as a =
firewalling solution for</FONT>
<BR><FONT SIZE=3D2>our mobile users, but we just couldn't deal with the =
amount of calls</FONT>
<BR><FONT SIZE=3D2>people would make to us saying they were being =
scanned by all the local</FONT>
<BR><FONT SIZE=3D2>windows machines on the network while they were in =
the office, or</FONT>
<BR><FONT SIZE=3D2>countless other issues. We're still looking at =
other solutions, but few</FONT>
<BR><FONT SIZE=3D2>really have any sort of centralized =
monitoring/reporting ability.</FONT>
</P>
<P><FONT SIZE=3D2>--</FONT>
<BR><FONT SIZE=3D2>Joseph W. Shaw</FONT>
<BR><FONT SIZE=3D2>Sr. Network Security Specialist for Big Company not =
to be named because I</FONT>
<BR><FONT SIZE=3D2>don't speak for them here. I have public =
opinions, and they don't.</FONT>
</P>
<P><FONT SIZE=3D2>On Fri, 3 Nov 2000, Rishi Singh wrote:</FONT>
</P>
<P><FONT SIZE=3D2>> That was a very old version of BlackIce Defender =
you are referring to. I</FONT>
<BR><FONT SIZE=3D2>> know exactly which version you are talking =
about as I had similar problems</FONT>
<BR><FONT SIZE=3D2>> with it. However NetworkIce seems to be a =
pretty responsive company when it</FONT>
<BR><FONT SIZE=3D2>> comes to complaints and I beta test their =
products for them.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> All of the dev/null stuff has been eliminated =
in the last few releases,</FONT>
<BR><FONT SIZE=3D2>> including erroneous reports and extraneous =
information. You should try it</FONT>
<BR><FONT SIZE=3D2>> now, I think you will be more impressed than =
the experiences you had with</FONT>
<BR><FONT SIZE=3D2>> the older version.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C045E4.0D649710--
