Stonesoft News
(5 votes, average: 5.00 out of 5)
Loading ...Have you ever been in the situation where you needed Stonesoft Support to help you troubleshoot a problem you are having only to be told to send them an sginfo and they will investigate? Ever wonder why?
(3 votes, average: 5.00 out of 5) Loading ...Microsoft has just released the September security bulletins. There are 5 bulletins and all of they are ranked as critical.
The bulletins describe both client- and server side remote code execution vulnerabilities, and for most of these functional exploit code is *likely*, see http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx
The StoneGate IPS is able to prevent exploits against most of these vulnerabilities, but for example we cannot protect MS09-049, “Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)” as the vulnerability is exposed to wireless network. Luckily, you can install the patches provided alongside the bulletins to fix these vulnerabilities.
But there are also unpatched vulnerabilities threatening your Windows systems.
Windows Vista, Windows 7 RC and Server 2008 are affected by a vulnerability in their file sharing service that allows remote code execution. There are no patches available, but exploits are. See http://www.microsoft.com/technet/security/advisory/975497.mspx
Also the FTP server in IIS 5 and IIS 6 contain vulnerability that can be exploited to cause a denial of service and at least in IIS 5, remote code execution. And there are no patches available, but exploits are.
The SGIPS Intrusion Prevention System can prevent the attacks against these unpatched vulnerabilities.
(1 votes, average: 5.00 out of 5) Loading ...Hi all!
As we wrote earlier, last week we offered selected Finnish journalists a rare chance to peek into the mind of an IT criminal. The event, called “Hack the lab” was a total success. After some initial hesitation, a wave of enthusiasm and joy of discovery spreaded among participants. The journalists had the chance to try out different techniques, such as port scanning, password breaking and the use of intrusion tools. We let them do all the work, and just provided some advice and guidance in the background.
Based on the feedback, we realised that the editors were really surprised by how easy it is to break into a system. None of them could have imagined, how easy it could be to find powerful tools from the Internet and how easy it is to use them. Sure, we should keep in mind that someone has gone through great trouble making the tools first. Nevertheless, the point remains. The journalists also understood how important it is to have an up-to-date and modern intrusion prevention system in place. When we protected the target systems with our SGIPS, the hacks turned out to be unsuccessful. Without the IPS, the target systems were completely owned.
The event generated some coverage as well, please see the links below. (Articles in Finnish)
YLE: Hakkerointi onnistuu kaikilta
mesiksen mietteet: Hakkerilabra opettaa pomoille tietoturvamokia
Tietokone: Hakkerilabra opettaa pahimmat tietoturvamokat
Helsingin Sanomat: Mustahuppuinen hakkeri ja salaiset reseptit (for subscribers only)
(2 votes, average: 5.00 out of 5) Loading ...With the help of StoneGate 5.0 administrators can configure HTML user responses that are shown in the end user’s web browser. The idea of HTML user responses is to inform the end-users why hey got banned.
The administrator can customize the HTML user responses for the following cases:
For each case the administrator can decide whether to:
You can for example notify your end-users that their web browser is outdated. You can of course make things as smooth as possible for the end-user and include the link to update the browser in the customized HTML user response.
(3 votes, average: 5.00 out of 5) Loading ...
StoneGate IPS 5.0 allows you to protect your hosts and servers against attacks that are hidden inside HTTPS. Here are a couple of use cases what you may want to try with the StoneGate 5.0:
Client side protection:
Server side protection:
The HTTPS Inspection feature also provides support for usage of Certificate Revocation List (CRL). That list is updated via SMC.
You can also whitelist the Web sites you don’t want to inspect. There is a new HTTPS inspection policy element where you are supposed to add your users’ bank services etc.
(3 votes, average: 5.00 out of 5) Loading ...I recently wrote about clustered FW/IPS installations and in that discussion a question was raised about the bypass functionality of the IPS appliances. So, let’s have a look.
Continue reading »
(10 votes, average: 5.00 out of 5) Loading ...The most common place for an IPS is right behind the edge firewall, where it inspects anything that goes through the firewall. Firewall filters out most of the inbound crap, which is too obviously unnecessary to even inspect with IPS. This is a fairly straightforward setup, you just connect the inline IPS’s between the firewall and the internal switch. Cross cables from the firewall to the IPS and straight from the IPS to the switch and you’re done. StoneGate IPS, while in inline mode, looks like a cable to the network. It does not alter allowed traffic in any way, so deployment is simple.
Clustering the firewall does not seem to change much – you just add an IPS (or an inline pair) for each additional firewall node. Quite straightforward still.
Let’s now stop and think for a minute. What does this setup mean, how does it work?
(5 votes, average: 5.00 out of 5) Loading ...Hello,
We opened a new SSH service a few weeks ago to the public. Pretty soon after that multiple IP addresses started to bombard the service with password guessing attacks. Well, the passwords of the accounts behind the server are quite complex, but still the attackers annoyed me.
One of our IPS has a capture interface in the DMZ where the SSH service is running. I enabled the access login of the SSH traffic to that server in the IPS and created a new correlation situation for the Analyzer. The correlation (a count -type) activates whenever there are too many connection attempts from a single IP address to the SSH service in a short time.
And if there are, the Analyzer sends a blacklist request to the firewall, asking the firewall to block all further connections from the mis-behaving client to the SSH service for the next 10 minutes. This slows down the brute force attack, but does not cause any long-term harm to the legitimate customers, if they accidentally mistype their passwords several times.
The result? Look yourself the following snapshot from StoneGate report. The service was put online around Jan 15th, and right after that the bombardment started. The blacklist rule has been in effect since last Friday, Jan 30th. Six attackers have been cut off since then – and no one of them have dared to come back. No complaints from the real users.
You can click on the image to see it full-sized.
(No Ratings Yet) Loading ...I saw that eWEEK had listed top 5 VMware Virtual Appliances and StoneGate IPS was one of them. See the whole article.
(3 votes, average: 4.33 out of 5) Loading ...The Payment Card Industry (PCI) Data Security Standard (DSS) requires that the credit card information in the web stories must be protected. Among other things, the standard requires that the credit card numbers must not be transferred unencrypted over the public networks, such as the Internet, or any wireless networks (WLAN, GSM, etc).
I figured that StoneGate IPS would be pretty good at verifying that this requirement is kept. Why not to create a custom situation to the StoneGate IPS that would alert every time it sees a plaintext credit card number in the network?
It seemed that the wikipedia had a pretty good looking page that describes of how the credit card numbers are made of. Some obsolete cards may still use 13-digit numbers, but all the major and currently used cards use 14, 15 or 16 digits. The first 6 digits are called as Issuer Identification Numbers (IIN) and they define the institution that has issued the card. The next seven, eight or nine digits are for the account number and the last one digit is a checksum for the card.
Different major cards use a bit different number groups. The most typical grouping (used by Visa and Mastercard, possibly also others) is four digits + four digits + four digits + four digits. American Express uses four digits + six digits + five digits. It should be noted that the number groups are different thing than the boundary between the issuer (IIN number) and the account number! The grouping could be important to notice, however, if it is used in the card numbers while in transit over the network.
Thus we can create the fingerprint for the cards:
(?x)
.*[0-9]{14,16}|
.*[0-9]{4}[\-\x20][0-9]{4}[\-\x20][0-9]{4}[\-\x20][0-9]{4}|
.*[0-9]{4}[\-\x20][0-9]{6}[\-\x20][0-9]{5}
The first line sets the “Extended readability mode”, which lets us to add comments etc to the fingerprint. One side effect of this is that we need to specify all “space” characters explicitly with the \x20 notation.
The second line searches for number sequences of 14, 15 or 16 characters long.
The third line searches for four four-digit number groups that are separated by “-” sign or by a space.
The fourth line searches for three number groups (four digit, followed by six digt, followed by five digit), separated by “-” sign or by a space.
Note the “|” (OR) sign at the end of the second and third line. It tells the IPS that if any of the lines 2, 3 or 4 matches, the situation is a “match”.
The context for the new fingerprint depends on where you want to test it. If you want to ensure that the web application itself does not require the card input over the plaintext HTTP, you could add the fingerprint to the “HTTP Normalized Request-Line” context. If you want to detect if the web server is showing the card information back to the client in plaintext, add the fingerprint to the “HTTP Server Stream” context.
Other possibly interesting contexts would be “FTP Download Stream” and “FTP Upload Stream” to detect the card number transactions within the FTP data connections.
The PCI standard:
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
Wikipedia Credit Card numbers:
http://en.wikipedia.org/wiki/Credit_card_numbers
Recent Comments