iPhone 3.0 and CalDAV

Bottom Line up Front -- Caldav and the iPhone 3.0 OS are awesome. Here’s how to make it work for you.

Finally Caldav actually works with Google. Let me back up.

You’ve read my posts talking about how to sync your calendar between MobileMe and Google Calendar using BusySync. But what if you could cut BusySync out of the middle? Even though it’s pretty quick (at max a minute), what if you could properly function with Google’s calendar via CalDav?

First things first, I have two requirements for my calendar:

I can have my calendar pushed to me at all times.

I can have access to my wife’s calendar on my phone

My wife’s calendar is on Google Calendar. That being said, here we go...

I have to have my calendar pushed to me at all times because it’s quite frequent that I am invited to a conference call, or a meeting, you know, after it started, and I need the dial in or meeting details RIGHT NOW. I don’t have time to find a computer, log in, check the calendar (or wait for it to sync). So my solution was, I need push calendar. Fine, BusySync and MobileMe was a near perfect solution for that. I say near perfect because when I received an invite on my iPhone I couldn’t accept it, deny it, maybe it..etc.. I could do that on my iCal, but not on my phone. The only option that allows you to do this is Exchange integration with the iPhone. Well I don’t have an Exchange server. Wait, didn’t Google drop that on us awhile back? Yes, yes they did.

http://www.google.com/mobile/apple/sync.html

So I went into my Calendar settings on my iPhone 3.0 software, disabled calendar syncing with my MobileMe account, and added a new account, Exchange this time, following the directions laid out here:

http://www.google.com/support/mobile/bin/answer.py?answer=138740&topic=14252

Okay, Done. Instantly my calendar started pushing down to my iPhone. I can send events from here, I can invite people, I can be invited.. etc.. instant awesome.

Okay, but what about subscribing to my wife’s calendar?

Well, she uses Google Calendar, so now with iPhone 3.0, you can subscribe to a calendar via .ics file or, via caldav. So I subscribed to her calendar via caldav. Only you can only have one Exchange account. Not worry, Apple fixed that too:

http://www.apple.com/iphone/how-to/#calendar.subscribing-to-calendars

I went in and subscribed to my wife’s Google calendar via Caldav, and now, I have both calendars fully synced to my iPhone at all times. Good stuff.

Well, I wasn’t done. Google a long time ago enabled access and the ability to integrate iCal with CalDav. I wrote before on this blog that it wasn’t ready.

But it seems Google may have fixed some issues.

http://www.google.com/support/calendar/bin/answer.py?hl=en&answer=99358#ical

Enabled me to set up Google Calendar, to which I needed to test it. So I set up an invite for several of my coworkers for a meeting, and lo and behold, when I added the invites, it presented me with a question “Check availability”. Since my coworkers and I all use Google Calendar, I was able to view the availability of my co-workers right in iCal, make an appointment when they were all free, and guess what? When I clicked Send? It didn’t send an iCal .ics invite from my Mail.app, GOOGLE sent a Google calendar invite from the server. From the SERVER. Of course, when people responded “yes” iCal updated, my phone updated, Google Calendar updated, all instantly.

The only (and I do mean ONLY) hiccup I noticed in this whole thing is, when I am typing names for invitations in the meetings, the names don’t automatically fill in from my address book. Neither locally, or on Google Contacts. Leaving me to type the entire email address out. However, I noticed an interesting side effect. I CAN type a group name (Local address book Group Name). That will populate everyone.

So, I still have my Contacts being pushed down to me via MobileMe, because I don’t like how Google Contacts auto adds people you correspond with into your address book, well, I don’t mind that, but it pushes these “new” people down to my phone and my address book on my computer, leaving me to then have to clean them all up. And that’s just annoying.

Hope you enjoy. I’ll try and post back in a couple days to let you know how everything is working with my new set up and with iPhone 3.0 in general.

Overall though, so far, iPhone 3.0 seems speedier, and can’t wait for MMS.

Working with Gmail Filters

When my company went from using an IMAP server (which I used to filter using procmail rules) to using Google’s Gmail Cloud architecture for our email, I was excited. I’d been using my Google Gmail account for years, and up until that point, had always done so through IMAP.

After I moved my incredible amount of email up to Google’s servers, I found out that IMAP (Mail.app, Thunderbird, Mutt, etc) wasn’t cutting it very well and I would need to do something different.

Over the past couple of months I’ve been playing with just about every Mac-based email client there is (even Postbox, which seems to be everyone’s biggest “thing” right now), and I keep coming back to the same thing.

Google’s Web browsing Gmail experience. Of course, with the keyboard shortcuts.

I started off just dumping every email into my Inbox and labeling things manually (well, except for listservers). Occasionally using the “Filter Messages like this” button in Gmail.

Well, after using that method for awhile, I got to the point where my Gmail filters were gigantic. I had pages of filters. Sometimes 10-20 for the same label. So I decided I had to do something. I started playing with my filters in much the same way that I used to configure my Procmail rules.

Now, let me start off by saying that Gmail’s filters are not as powerful as Procmail rules and only support some simple regular expressions. For instance, I can’t write a rule in Procmail to handle complex email addresses like “handlers-1234567@address.here.com” Where the 7-digit number is a random ticket number. In procmail I used to be able to do things like “handlers\-\d{7}@address.here.com”, so I tried some experimenting to see what I could come up with, that works.

Well I found out that Parenthetical “Or” statements work fine. For example I have a rule that filters email some of the Snort lists I belong to that looks like this:

(list:("snort-users.lists.sourceforge.net"|"snort-sigs.lists.sourceforge.net"|"chisug.lists.snort.org"|"snort-devel.lists.sourceforge.net"|"snort-inline-users.lists.sourceforge.net"))

So, the filter string is to look at the “list” headers of the email and sort on “snort-users.lists.sourceforge.net” OR “snort-sigs.lists.sourceforge.net”. You get the point. Putting parenthesis around the group and saying “|” (pipe, or) in between each one. Allowed to me to take five list sorting lines and reduce it to one.

What I found out is, you can do this with anything, not just “list”, you can do it on From, To. etc. So I went crazy with consolidation. Heck I have one filter that filters, what I call, “bulk” email. Marketing stuff from companies, websites that I’ve signed up with, advertisements, twitter notices, facebook notices, etc. Skips the inbox, and labels it as “bulk”. Do I want to read it? I might need to look through some of it, but I don’t need it in my inbox. (By the way, this filter has about 75 “or” statements in it, it’s 10 lines long)

As I mentioned before, you can do this with a lot of things. I have a filter that deletes email from certain people. Email comes in with that “From” address? Do not pass Go, do not collect 200 dollars. Go straight to the Delete.

I can’t stop these people from sending me email, but I can certainly delete it automatically.

You can even do complex nested parenthetical groups. For example, my ISC handler email addresses can start with “handler” or “handlers”@domain.sans.org you can even write to isc@domain.sans.org (not the real email address, I’m doing to that eliminate spam, to contact us, go to our website at http://isc.sans.org)

So I have a rule that says:

to:(((handler|handlers)@domain.sans.ccc|(isc|anotheralias)@anotherdomain.sans.ccc))

What I have found is, by doing these groupings, it makes my filters and labels easier to sort and use.

All the email I possibly can, I filter using these methods, tag it with a label and “Skip Inbox”.

Found out I read email much less often now, and when I do it’s sorted much more accurately and efficiently.

Give it a shot.

Working with Gmail Filters

When my company went from using an IMAP server (which I used to filter using procmail rules) to using Google’s Gmail Cloud architecture for our email, I was excited. I’d been using my Google Gmail account for years, and up until that point, had always done so through IMAP.

After I moved my incredible amount of email up to Google’s servers, I found out that IMAP (Mail.app, Thunderbird, Mutt, etc) wasn’t cutting it very well and I would need to do something different.

Over the past couple of months I’ve been playing with just about every Mac-based email client there is (even Postbox, which seems to be everyone’s biggest “thing” right now), and I keep coming back to the same thing.

Google’s Web browsing Gmail experience. Of course, with the keyboard shortcuts.

I started off just dumping every email into my Inbox and labeling things manually (well, except for listservers). Occasionally using the “Filter Messages like this” button in Gmail.

Well, after using that method for awhile, I got to the point where my Gmail filters were gigantic. I had pages of filters. Sometimes 10-20 for the same label. So I decided I had to do something. I started playing with my filters in much the same way that I used to configure my Procmail rules.

Now, let me start off by saying that Gmail’s filters are not as powerful as Procmail rules and only support some simple regular expressions. For instance, I can’t write a rule in Procmail to handle complex email addresses like “handlers-1234567@address.here.com” Where the 7-digit number is a random ticket number. In procmail I used to be able to do things like “handlers\-\d{7}@address.here.com”, so I tried some experimenting to see what I could come up with, that works.

Well I found out that Parenthetical “Or” statements work fine. For example I have a rule that filters email some of the Snort lists I belong to that looks like this:

(list:("snort-users.lists.sourceforge.net"|"snort-sigs.lists.sourceforge.net"|"chisug.lists.snort.org"|"snort-devel.lists.sourceforge.net"|"snort-inline-users.lists.sourceforge.net"))

So, the filter string is to look at the “list” headers of the email and sort on “snort-users.lists.sourceforge.net” OR “snort-sigs.lists.sourceforge.net”. You get the point. Putting parenthesis around the group and saying “|” (pipe, or) in between each one. Allowed to me to take five list sorting lines and reduce it to one.

What I found out is, you can do this with anything, not just “list”, you can do it on From, To. etc. So I went crazy with consolidation. Heck I have one filter that filters, what I call, “bulk” email. Marketing stuff from companies, websites that I’ve signed up with, advertisements, twitter notices, facebook notices, etc. Skips the inbox, and labels it as “bulk”. Do I want to read it? I might need to look through some of it, but I don’t need it in my inbox. (By the way, this filter has about 75 “or” statements in it, it’s 10 lines long)

As I mentioned before, you can do this with a lot of things. I have a filter that deletes email from certain people. Email comes in with that “From” address? Do not pass Go, do not collect 200 dollars. Go straight to the Delete.

I can’t stop these people from sending me email, but I can certainly delete it automatically.

You can even do complex nested parenthetical groups. For example, my ISC handler email addresses can start with “handler” or “handlers”@domain.sans.org you can even write to isc@domain.sans.org (not the real email address, I’m doing to that eliminate spam, to contact us, go to our website at http://isc.sans.org)

So I have a rule that says:

to:(((handler|handlers)@domain.sans.ccc|(isc|anotheralias)@anotherdomain.sans.ccc))

What I have found is, by doing these groupings, it makes my filters and labels easier to sort and use.

All the email I possibly can, I filter using these methods, tag it with a label and “Skip Inbox”.

Found out I read email much less often now, and when I do it’s sorted much more accurately and efficiently.

Give it a shot.

Sourcefire on Twitter

Since Twitter is the latest bandwagon for the tech industry (as well as everyone else, including CNN) to jump on, not saying we have a bunch of bandwagon followers (I’m certainly one), but at Sourcefire, we have several people who have joined Twitter and post often. (And even more who don’t post very much at all.) So I thought I’d compile a quick list.

These people are all humans, not bots, and they have their own opinions, their opinions may or may not represent Sourcefire as a whole, but they are entitled to their opinions just like you all are. I’d recommend if you need to contact someone from Sourcefire, Twitter is not how you do it. Either through Support (if you are a customer) or via email. I have no idea when anybody checks their Twitter account, if, at all.

I thought I’d throw this together because recently our Marketing department did an email blast out to a bunch of people, recommending they follow several of us on Twitter. However, there were only three people listed. I thought it was cool for Marketing to hand me an extra 60 or so followers, but I thought I would help out everyone else that would like some followers on Twitter too.

Follow at your own risk, there are the people’s own accounts, not work related accounts.

http://twitter.com/mroesch -- Marty Roesch, Creator of Snort and Sourcefire Chief Technical Officer.

http://twitter.com/VRT_Sourcefire -- The Sourcefire Vulnerability Research Team.

http://twitter.com/btpollard -- Sourcefire’s Vice President of IT, also a musician in his spare time, also runs 140-seconds.com

http://twitter.com/kmx2600 -- Matt Wachinski Senior Director of the Vulnerability Research Team

http://twitter.com/pusscat -- Lurene Grenier, Team Lead in the VRT, also author of God-knows-what in Metasploit.

http://twitter.com/awilliams -- Andrew Williams, Team Lead in Product Development

http://twitter.com/leonward -- Leon Ward, Security Engineer over in the UK.

http://twitter.com/vrybdpkt -- Jason Brvenik, Senior Director of Security Engineering

http://twitter.com/ericlhoward -- Eric Howard, Security Engineer in the USA.

http://twitter.com/enhancedx -- JJ Cummings, also the Author of PulledPork, Professional Services (like me)

http://twitter.com/cjacob -- Director of Security Engineering, Eastern Division

http://twitter.com/jnaylor01 -- IT Support Engineer, got me a new MacBook Pro to replace my powerbook. So awesome.

http://twitter.com/tryke -- Ryan Jordan, one of our Software Engineers on Snort

http://twitter.com/dbruzek -- Dina Bruzek, Senior Director of Product Development

http://twitter.com/kpyke -- Matt Olney, one of our Sourcefire VRT Members and great photographer.

http://twitter.com/jamesjtucker -- James Tucker, one of our Security Engineers in Sweden.

http://twitter.com/tedbedwell -- Ted Bedwell, Manager in Product Development

http://twitter.com/kschar -- Ken Schar, Security Engineer in Arizona

http://twitter.com/torontomiller -- Marti Toronto Miller -- One of the (many) awesome people in HR.

http://twitter.com/jjtucker -- Jenn Tucker (I think) -- One of our Engineering Administrators.

http://twitter.com/pieterclaassen -- Pieter Claassen, one of our Security Engineer in like, Norway, or something.

http://twitter.com/evilcazz -- Brian Caswell -- One of our VRT Engineers, as well as one of the Shmoo.

http://twitter.com/allenmale -- International Sales person, Allen Male. Man of Mystery.

http://twitter.com/CelticRaven -- Jason Keller -- One of our Professional Services guys.

http://twitter.com/chriskelley -- Manager of Recruiting -- Chris Kelley. If you want to work for us, this is the guy to suck up to.

http://twitter.com/linuxgeek247 -- I am pretty sure this is Christopher McBee. He’s in IT, he also plays Xbox with the group, therefore, cool.

http://twitter.com/mguiterman -- Mike Guiterman, Marketing guy in charge of Snort.

http://twitter.com/alanptak -- Alan Ptak, Another Professional Services guy.

http://twitter.com/mbrannig -- Matt Brannigan, Principle Engineer in Product Development

http://twitter.com/joelesler -- Me.

Well, that’s pretty much all I can find right now on my list. I know there are more, and to those people I missed, I apologize. I’ll add you if you want.

Email Signature Block Etiquette

I was involved in a discussion today about Email signature blocks and how obnoxious some of them are. I saw one today, with literally, an entire page of certifications and stuff. I’ve written about this before, but it never hurts for a little refresher.

Although the individuals reading my blog shouldn’t have this problem and know how to write email signature blocks right?

Let’s look at some best practices, and some other common stuff --

1. Start you signature block with “-- “. This allows email clients that correctly parse emails to collapse or grey out this area.
2. 4 lines or less.
3. Phone number, Primary, maybe fax (if you depend on the fax technology)
4. No email address (If you are sending an email, what’s the point in having your email in your signature block? They already HAVE your email address!)
5. Webpage (okay, this is fine, but keep it simple)
6. No quotes. If I want a witty quote, I’ll go find one. Your email should tell me a lot about you, not the quote.
7. Instant Messenger name (If you are the kind of person that would rather communicate via that medium, as opposed to phone.
8. Disclaimer -- The jury is still out on this “Disclaimer, legal copy” nonsense. Has it one of these ever been Enforced in Court? Not that I know of.
9. Company Name -- Good idea to have
10. Address? No. I can go look it up, or email you back to get it. 99% of the emails you send will not need the address. Besides, if I feel you’ll need my address, I’ll send it to you, along with a short url of Google Maps on how to get here.
11. Logo, multi colors, html, and various other nonsense? No.

Keep it simple. Signature block reads:

--

Joel Esler | Sourcefire | gtalk: jesler@sourcefire.com | | http://twitter.com/joelesler

Short, sweet, to the point. You know how to get a hold of me via 4 mediums. Phone, IM, Twitter, and of course, Email.

Email Signature Block Etiquette

I was involved in a discussion today about Email signature blocks and how obnoxious some of them are. I saw one today, with literally, an entire page of certifications and stuff. I’ve written about this before, but it never hurts for a little refresher.

Although the individuals reading my blog shouldn’t have this problem and know how to write email signature blocks right?

Let’s look at some best practices, and some other common stuff --

1. Start you signature block with “-- “. This allows email clients that correctly parse emails to collapse or grey out this area.
2. 4 lines or less.
3. Phone number, Primary, maybe fax (if you depend on the fax technology)
4. No email address (If you are sending an email, what’s the point in having your email in your signature block? They already HAVE your email address!)
5. Webpage (okay, this is fine, but keep it simple)
6. No quotes. If I want a witty quote, I’ll go find one. Your email should tell me a lot about you, not the quote.
7. Instant Messenger name (If you are the kind of person that would rather communicate via that medium, as opposed to phone.
8. Disclaimer -- The jury is still out on this “Disclaimer, legal copy” nonsense. Has it one of these ever been Enforced in Court? Not that I know of.
9. Company Name -- Good idea to have
10. Address? No. I can go look it up, or email you back to get it. 99% of the emails you send will not need the address. Besides, if I feel you’ll need my address, I’ll send it to you, along with a short url of Google Maps on how to get here.
11. Logo, multi colors, html, and various other nonsense? No.

Keep it simple. Signature block reads:

--

Joel Esler | Sourcefire | gtalk: jesler@sourcefire.com | | http://twitter.com/joelesler

Short, sweet, to the point. You know how to get a hold of me via 4 mediums. Phone, IM, Twitter, and of course, Email.

My Email set up

Earlier today, I found myself in a conversation on Twitter about how I process email with my friend Bryan Liles. He uses the Inbox Zero method, as do I, to a bit, so I thought I’d actually write a post.

The last time I talked about email, I believe I was still using Mail.app, which, of course, I still like because of it’s nice integration with other Apple Apps. I have to admit, however, that I no longer use it.

I use Gmail, the web interface. That’s all I use. I mentioned before that I used to have about 10 email accounts, all for various reasons, none of which I could truly justify. None of them were hidden or anything, they were all some derivative of “eslerj” or “joelesler” or something. So I started consolidating.

Right now, all my personal email, (friends and family) use one address. All my list servers go to a second address, and of course, I have my work email.

I found logging into three different accounts to be very annoying, so I found out through playing around in the Gmail settings that you can enable your Gmail to be able to send email “on behalf” of other email accounts. So, for example, I set my “from” address to be any one of the three addresses, and when I hit “reply”, Gmail knows to reply from the proper account. (If you have it set up correctly.)

So, I took my other two accounts and forwarded them to the one. That way, I have one single account to check all my email from. Very nice.

So, onto the meat, how do I process email?

Like a lot of people I use Gmail’s filters and labels. Since I forward all my email into one account, I get anywhere between 600-1000 emails a day, so I needed an efficient way to handle this stuff automatically.

All listservers, when I receive an email from them, are tagged automatically with a label, based upon the list header. (I suggest you let Google filter this stuff for you, use the “Filter Messages like this” feature.)

Google will suggest what it thinks you should use as a Filter. Whether it be from a certain person, etc.. For the listservers, it does a nice job of parsing headers. For example, the filter in my Gmail to filter emails sent to the Snort-Sigs list for http://www.snort.org is “list:"snort-sigs.lists.sourceforge.net"”

I then let Gmail apply a label, and Skip the Inbox.

That way I don’t get bogged down in the listserver email when I am trying to do actual email processing. All listservers are set up like that (Except for my “Snort” based ones, I want those in my Inbox, so I can respond to people.) That eliminates about 400-800 emails from my daily processing. I take a look at all my listserver email about once a day, scan the subjects, and if I don’t see anything interesting, I mark them all as read and move on. (BTW -- so, if you want me to particularly look at your email if you post to a listserver, cc me! You’ll find out why in a sec ;)

BTW -- If you aren’t using these two features in Gmail, you are absolutely crazy.

The first option is Keyboard Shortcuts. Once you learn the keyboard shortcuts in Gmail, you FLY through your email so much faster.

The Personal Level indicators place little arrows next to the emails that are sent only to you “>>” or sent to your name (as well as someone else, like for instance, if you were “cc’ed” on an email. “>”.

Anyway --

So, when I read my email in my inbox, I use a labels/filters to process the ones from my corporate domain “sourcefire.com” and (and a couple other domains) and label them a particular color. This allows me to quickly glance down a huge page of email, determine which of the emails with the “>>” arrows are from my company or not.

I process all the email in my inbox to “zero”, making “todo’s” (I use OmniFocus for this (learn your keyboard shortcuts!) Responding quickly to those that need responding, and archiving the things I don’t want to respond to. I can burn through a couple hundred emails in a very short amount of time.

I also try to keep to the 5 sentences or less method of email if I can. I do make exceptions to this rule if I need to, (rarely), but I find that I don’t generally have a problem if I keep my emails quick, descriptive, and to the point.

Sourcefire's Exploit Development Class

First off, if you were to go look at this class on Sourcefire’s website, it states “Exploit Development Class for Snort Rule Writers”. We need to fix this. In the words of Lurene, “This class has nothing to do with Defense. At all. Ever.” The class should be more appropriately named, “Fundamentals of Exploit Development”, or “Writing Exploits, we’re going to hurt you”

So, let’s describe this class in two words or less:

Freakin Awesome.

Beginning on day one with a lot of terminology, introduction and drinking from the firehose on Assembly and gdb, by the end of the first day, you are well versed in how to read assembly, pick it apart, and even being able to reverse simple programs at this point. Your Brain will hurt.

Day Two, more drinking from the firehose, more reversing, more assembly, more gdb, drawing stacks, and by the end of the second day, you are learning to control EIP, and doing it. Your Brain will hurt even more.

Day Three, you just sit all day and hack programs. From simple to intermediate, (you aren’t cracking Microsoft Office just yet ;), by the end of the day, you are using reverse shells and shellcode like nothing. Your Brain is now fried. Go drink beer. Seriously.

This was the best class I have ever taken in my life. Srsly.

You know those classes where you go and sit, and you could probably figure out 80% of it, and the other 20% of the class you pick up little tricks and tips on whatever you are learning? This is not one of those. If you know assembly, or have experience in reversing assembly, this is not the class for you (even though you will probably learn something). The class I took was taught by 4 of the Vulnerability Research Team members, people I am glad to call my friends.

So, my hat’s off to Lurene, Matt, Ryan, and Nigel, along with all the other members of the VRT that contributed, came out, and helped with the class. It was great, and I’d gladly take it again anytime.

The best part of the class, I thought, was during the class, on a separate projector, they fuzzed software and found some 0days. I don’t want to disclose which pieces of software were fuzzed, but let’s just say that they are pieces of software that people use everyday.

In one piece of software, over 200 crashes and bugs were caused. No word on how many were exploitable yet.

No, I will not tell you which piece of software it was either.

Why is your IDS outside your firewall?

Stop that. You’re doing it wrong.

This is a very puzzling situation that I run across quite often, more often than I should. I thought i’d bring up a few points as to why, I view, IDSs outside of Firewalls, to be a bad thing.

Allow me to play Devil’s Advocate here for a minute, present a few arguments, then allow me to rebuttal them. I am not insulting anyone that has their sensors outside the firewall. But I ask to you please reconsider. Here you go:

1. We place a sensor outside of our firewall to see what’s “out there in the wild”.

First off, the Internet is not plugged into one big hub. Network traffic that is destined for somewhere else is not going to be seen by your network. Only networks that you advertise as yours will receive the traffic that you intend. Placing a sensor outside of a Firewall because you think you are going to see traffic “floating” by, is just plain wrong.

Second of all, if you have a "Deny all, permit by exception" policy on your Firewall -- as you should -- only allowing things into the network that you explicitly want people to access remotely, you will only see UDP based attacks on the outside. So, you will simply pick up a lot more SQL Slammer attempts at your gateway. Confused? What do I mean?

If you have a state-ful Firewall, denying access to your network prevents a valid 3-way handshake to be exchanged with a host you EXPLICITLY allow access to from the outside, you will never receive any more attacks on a TCP basis. Your IDS will sit there and track SYN packets all day, attempting to track sessions, never receive SYN-ACK’s, and purging that session from the state table upon timeout. Maybe your Firewall will send an ICMP Admin Prohibited response if you have it configured to do so, however, most Firewalls simply drop silently. After all, why would you want the attacker that is coming after you to know you have a Firewall, and exactly what hop it is in the network?

This is a waste of IDS resources, time, and money. (Time = money.)

2. “We put the IDS outside the firewall because if an attacker is going to attack our network, they are going to attack the firewall first.”

(Yes, this is an actual quote. I do have permission to repeat it, as long as I don’t tell anyone who said it. Actually, the person who told me this was simply repeating what his network admin had told him.)

If you told me that statement above, I would assume three things.

First: The management interface to your Firewall is accessible from the Internet.

Second: If it is, what is the condition of the rest of your network, because I can most likely attack it easier.

Third: Obviously you are willing to sacrifice your IPS. (by putting it outside) What is the difference between an IPS and a Firewall in this context?

I say they are both security devices, and are both vital to the protection of the network. If I am an attacker, I am not going to attack your firewall. I am going to try and find a way THROUGH your firewall, install some kind of backdoor, then get in through that, or better yet, have the backdoor opened for me from the inside. You obviously allow some ports open on your firewall so I am going to go in through those first. I’d rather go after your SSH server, FTP server, HTTP server, hell, i’d rather attack your printer than to go after your firewall. That is, of course, assuming your management interface isn’t sitting in the DMZ, and has a password of “password”.

3.  It’s the only aggregation point we have where all the traffic comes together!

Okay, fair enough, I’ll allow this argument. However, I am assuming then, that this is just a temporary solution until you can either afford to buy more sensors, or build more SNORT® boxes. It should only be a temporary solution and you should really concentrate hard on moving your IPS inside of your firewall, perhaps get traffic to the IPS/IDS with taps or multiple spans. Utilizing multiple detection engines on one machine is a good way to do that. A sensor sitting outside the firewall is never the solution, for two or three really good reasons I just talked about above.

I am sure I can probably think of some more, but that’s enough for now.

Moving my network around

Today I moved my network around, so just a quick article about why, or what was the point.

It’s funny the little noises that irritate you. For me, there are a few, high pitches whines, buzzing sounds that are constant, when my wife clicks her nails together, and computer fans.

In my office, I have a PowerMac (Dual Core, with Dual Fans), a Linux box that I do a lot of Snort Testing on, and a 1U server that is older than my daughter.

The 1U was moved to the basement a long time ago, simply because the fans on the thing were so incredibly loud, you couldn’t sit in the same room as the machine. It was crazy. I can’t imagine a server room full of these things. The fan ran constantly too. Not when the processors got hot, but all the time. So very irritating! I moved this server to the basement by drilling a hole in the floor in my office and running a Cat 6 cable down there. Simple enough.

That was about a year ago.

As I’ve stated before on the blog, and on twitter, and go knows where else -- I’ve moved totally to using laptops as my primary machines now. I keep everything “in the cloud” except for things like Pictures, (in iPhoto), Music, (in iTunes), and random misc software.

I use my iDisk for my Document and File Storage, and am starting to use Google Docs for collaboration on documents. I use Evernote for jotting taking notes and keep everything in one place. I use Google mail for my email (eliminating the need for a local client), and I use Google Calendar for my Calendaring. (As opposed to iCal.)

So my needs for everyday computing are rather lightweight. Last week my company replaced my aging PowerBook G4 with a brand new MacBook Pro. I started to do the “laptop dance”, you know the one, where you transfer years and years of data that you have kept for God knows why over to your new computer. After about an hour of doing this, I decided that this was inefficient and stupid and stopped. Moved everything to things like iDisk and Evernote, and eliminated the need to have everything locally. (Technically I do have everything locally, it’s just synced for me.)

I brought my new MBP into the office here at the house and stared at my PowerMac for awhile.

My Powermac has served me well for years. It’s a Dual 2.0 PowerMac G5, liquid cooled, and has 4 Gigs of RAM in it. This thing is still pretty fast, and I bought it in 2004/5 ish timeframe. But what did I use it for?

It’s sitting here connected to my 20in Apple Cinema Display -- which by the way, Apple stopped making recently -- keyboard and mouse connected to it. But how often do I use this thing? How about, almost never! I’d rather use my laptops, because then I can wander all over the house, go to Starbucks, Panera, whatever.

So I thought for a while. I already have a Cat 6 cable running to the basement, what if I relocated all my computers, switches, and everything to the basement, and only keep my wireless access points (with their associated Ethernet cables plugged in) upstairs?

So I moved everything. Powermac, Linux servers, switches, hubs (for testing), downstairs. I even moved my FiOS connection end point downstairs, (which required re-running the cable, etc.).

All I have in my office now is my MBP, with the 20in Monitor attached to it, and I have my personal older model MBP sitting next to it. (It’s my “grab my computer and go to the bathroom for reading material” computer.)

You can hear a pin drop in my office now, and it is much less distracting.

I recommend, if you can relegate your computing devices out of your office, into another room, closet, floor, attic, or whatever, do it. It’s awesome.

A tale of my mother in laws laptop

So, yesterday, my mother in law moved into my house to stay with us for awhile. (Yes this is cool with me, it was actually my idea.. Anyway.)

She handed me her laptop, Sony Vaio (this thing is a freaking brick!), loaded with Windows XP, she always makes jokes about my network here at the house, and about how “clean” it probably is (all macs, security etc..) So I went about starting to clean it.

First, I wanted to get the antivirus updates. She had a current Antivirus client (Symantec), it was the full suite, with the firewall and everything. So I updated that, took awhile as it hasn’t been updated in awhile.

-- Sidebar --

My mother in law has been on dialup in her neighborhood where she used to live for a long time. She doesn’t log in for long, long enough to log into her AOL account and check her email and some light surfing.. (yes AOL. Seriously.)

So you can imagine, everything hasn’t been updated in a long time because of the speed of her connection, she doesn’t have the kind of time to sit there and let downloads download overnight.

-- Back to my Story --

The Antirvirus ran, asked me if I wanted to deal with the stuff in Quarantine. I looked what it was, 3 instances of “Bloodhound.Exploit” in Temp Internet files. Okay, not a big deal, they’ve been quarantined for over a year, so I just deleted them. Hopefully that’s all it finds.

So I started to download XP updates. This is really where I started to value my Macs. This machine was pre Service Pack 3, Windows XP. So you know the drill, get the updates up to date so you can download SP3, then download SP3, then install that, then update, update, update, update. I had to go to Windows Update at least 5 or 6 times. Office was actually updated, but the Windows OS updates were so far behind it took me 6 hours to get this thing updated.

Now, I know when you build a fresh Mac install you have to do the same thing. But it only takes me about 20 minutes to do it, not 6 hours.

I started telling my tale, as I was going, to my followers on Twitter. A lot of jokes were made, you know, about making the laptop a doorstop, or if I had a table with one short leg, go ahead and prop up the table with it.

Other suggestions were made like, “load Ubuntu on it, tell your mother in law it’s the new version of XP”. I thought about it, but my mother in law is just one of those kinds of people who get comfortable with her computing experience and you don’t want to upset that. She like her XP, and Microsoft Word, so I don’t want to mess with her right now, maybe she’ll get a mac on her next computer buying experience.

Anyway, it’s fully updated and working now, yes, it’s on my network, as much as I hate to admit it. (It’s the first Windows machine on my network in about 6 years.)

Hopefully now, I can keep her patched and updated.