Network security

Network Access Control, switch vendor ConSentry goes out of business

ConSentry Networks has gone out of business, according to Network World. ConSentry was a network access control (NAC) vendor who approached the market by selling NAC and other security and control technology embedded in Ethernet LAN switches, I’ve talked to a few of ConSentry’s customers over the years, who have seemed happy with the company’s switches and NAC products, but in the end I suppose there just weren’t enough customers to sustain ConSentry in this economy.

Network World’s Tim Greene cites an interview with Mario Nemirovsky, the founder and chief scientist at ConSentry, who says that the company closed its offices yesterday and that employees were cleaning out their desks.

ConSentry’s website makes no mention of the company’s failure as of this afternoon… but who knows how long the website will remain active.

Just last month ConSentry was making a modest PR push with its concept of “LAN sprawl,” increased network complexity in enterprises that it claimed was driving the need for smarter network switches. While some enterprises are seeing the need for smarter edge switches, many other enterprises are content with dumb edge switches. In the end, I suppose there just wasn’t enough room in the market for another smart switch vendor.

Conficker worm to strike April 1

Although Microsoft Conficker/Downadup infections were not a major threat a couple months ago, sources ranging from Brink to The New York Times (Computer Experts Unite to Hunt Worm) say that on April 1, 2009, the worm will be  programmed to run a mystery doomsday attack.

For those unfamiliar with the threat, it has been considered the biggest botnet ever. According to Microsoft’s Malware Protection Center, on March 4, 2009, a peer-to-peer (P2P) mechanism has been added to the latest iteration of the worm — making this the fourth evolution (Conficker A/B/C and now D) since October of 2008.

No one knows exactly what the worm will do on April Fool’s Day, as much Conficker disaster speculation abounds. While some guess it will bring down the Internet, such a feat would run contrary to the very nature of botnets. A network of viral computers usually send out spam — swindling victims out of money. If the Internet were down, whoever started the threat wouldn’t make money. However, using the zombie computers to ping a site at the same time to create a denial of service (DoS) attack would be much more likely. This would enable the creator to steal confidential corporate data (Source: ABC news “Conficker Computer Worm Threatens Chaos“).

The good news is that if you haven’t been infected by Conficker already, there’s a pretty good chance you won’t. Computers on your network that have legal licenses of Windows and up-to-date anti-virus software won’t be subjected to the threat (Conficker, Downadup worm hype?). Take SearchSecurity.com contributor Eric Ogdren’s Microsoft Conficker worm offers attack prevention lesson if you’re worried.

If you’re still worried, let’s just hope then that the Internet Corporation for Assigned Names and Numbers (ICAAN)-bird gets the worm.

NetScout adds authentication and policy control to packet sniffer

If you’re a network manager, chance are you’ve possessed a laptop with a packet sniffer or protocol analyzer on it. Just plug that bad boy into the corporate network and you can look at all the traffic that’s going across the wire.

I’m sure you’ve worn a white hat while using such a tool, but has the thought crossed your mind at some point that one of your admins could go rogue with such a tool and cause some real trouble for you?

I recently talked to Steve Shalita, vice president of marketing for NetScout, about this worry. Back in the fall of 2007, NetScout bought Network General, the maker of one of the original packet sniffers, named (what else) Sniffer.

Shalita said NetScout is releasing a new version of Sniffer called Sniffer Global which introduces a server-based authentication point for all Sniffer desktop installations. Through this central server, network managers can set policies for usage of Sniffer technology.

“You can limit how far they can go into the packet,” Shalita told me. “And you have the ability to, by user and with very granular detail, report on what that user has done out there on the network. The server is doing policy control and authorization of what they can do and reporting back to you.”

Sniffer Global isn’t a cure-all for potentially rogue packet sniffers on the network. It isn’t backwards compatible with older versions of Sniffer. So you’d have to update all the desktops that have Sniffer on them. That means you’d have to find the ones you don’t know about, too.  And of course, Sniffer Global’s server won’t identify packet sniffers made by other vendors, either. Instead, Sniffer Global’s value is in establishing centralized control over sanctioned Sniffer PCs across the network.

How to kill a network zombie

Network security meets George Romero zombie movies: a combination I can’t resist. So I had to share this computer zombie post from Peggy Rouse, over in the “Overheard in the tech blogosphere” blog:

“Before a zombie hunter can kill some zombies he has to find them. In themovies the hero can listen for low sorrowful moans or slow shuffling feet to track them down, or just look for the carnage of half eaten people. On your network you can look for similar signs of the undead so you can blast them to oblivion.”

– Adrian Duane Crenshaw, LAN of the Dead: Putting computer zombies back in their grave, Ash style

Unlike a lot of bloggers who write about zombie armies, Adrian doesn’t just scare you — he actually tells you how to hunt down zombies on your network and and kill them.  Recommended reading.

If you encounter any actual zombies, on the other hand, remember to aim for the head.

Happy Halloween!

Win this book: ‘Build Your Own Security Lab: A Field Guide for Network Testing’

nbsp;SearchNetworking.com’s very own security expert, Michael Gregg, has written another book: Build Your Own Security Lab: A Field Guide for Network Testing.

This how-to book not only gives you real-world scenarios you’ll actually be able to relate to, but the materials you’ll need to create your own test lab: It comes with a CD-ROM featuring security and hacking tools as well as open source tools, demo software, and a bootable version of Linux.

As security should never be last on the network administrator’s task list — we want to give our readers an opportunity to win this book for free. We have 10 copies of Michael Gregg’s book to give away to IT professionals in the United States. (Sorry, we cannot ship books outside the country.) Just go to our Build Your Own Security Lab giveaway two-question survey, and tell us if you’ve ethically hacked your network. Submitting your response will enter your name into our random drawing which will be held on November 1st. This means you have until the end of October to submit your entry.

If you miss your chance to enter, or don’t win a copy — never fear! You can still download Chapter 9 of Build Your Own Security Lab, Securing Wireless Systems — which starts you off with basic wireless know-how and goes on to explain how to ethically hack and secure your wireless systems with various networking tools. Since we all live different lifestyles, this chapter is downloadable as a PDF or as a podcast for when you’re on the go.

Do you like this offer? Let us know — or feel free to suggest any other books you’re on the lookout for that we could help you get for free.

If MIT students ride your subway system, you’d better beef up network security

Shocking news: The RFID fare card system that the Massachusetts Bay Transportation Authority (MBTA) uses on its buses and subway is totally hackable.

This past weekend, three Massachusetts Institute of Technology (MIT) students (Alessandro Chiesa, RJ Ryan, and Zack Anderson) were supposed to deliver a presentation at Defcon, a hacker conference in Las Vegas, about how they hacked the MBTA’s “Charlie Card” fare card system. They created software that allowed them to create clones of the RFID cards that could allow them to ride for free on the transit system forever.

They made one mistake. Before delivering their presentation, they met with MBTA officials to warn them about the transit system’s insecurity and to offer tips on how to protect it. The MBTA responded by seeking and winning a court injunction, preventing the students from presenting their findings.

However, the injunction didn’t come through until after the students had already distributed copies of their PowerPoint presentation to all Defcon attendees. Those slides are now available online via The Tech, MIT’s student newspaper.

The slides reveal some very disturbing but unsurprising pieces of information. For instance, the turnstile control boxes in Boston’s subway stations are often unlocked and wide open. High-tech surveillance stations are often left unattended (I’ve seen this myself many times at the Back Bay T station.). Official MBTA materials, such as MBTA inspector coat patches, MBTA hats and MBTA license plates are available on eBay. The students were even able to find an unlocked room where the network switches that connect fare card vending machines to the MBTA’s internal network are located.

Was the MBTA trying to get hacked? Look at the photographs and see for yourself.

This should come as no surprise. After all, this is an organization that is running a $75 million deficit, despite a 27% fare increase in January 2007 and a 6.1% increase in ridership during the last fiscal year. Does anyone expect them to run a tight ship?

Any organization in Boston should be on its toes at all times. MIT is known for its hacking hijinx. Just look at the school’s own website, where you can find a gallery of Interesting Hacks to Fascinate People.

Can your access point help arrest a thief?

I got a chance to meet with the fine folks over at wireless networking vendor Colubris for the first time yesterday, and they were kind enough to give me a tour of their offices as well as explain some of their technology. Like most wireless networking vendors, they use a centralized controller to manage access permissions and hand offs, with what they say is an important difference.

The difference, Carl Blume, director of strategic marketing, and Tom Racca, vice president of marketing, said, is that Colubris avoids sending all the data traffic through the controller.

Instead, the controller first authenticates users on the wireless LAN, and then tells the acccess point (AP) how to route the data itself, which Carl and Tom said greatly cut down on the amount of redundant data flowing through the network. (They also said, like every other wireless vendor I have ever talked to, that they are the only ones who have solved 802.11n with standard PoE.)

Tom also relayed what I thought was an interesting story: Colubris access points can be set to work semi-autonomously, and if they get knocked offline they can be configured to automatically re-connect to the central controller. One school system, sick of APs wandering off, opened up a port in their firewall to let the devices reconnect even when they were out on the public Internet. Sure enough, a missing AP started phoning home, and the school was able to use the AP’s IP address to locate the missing access point … and arrest its thief.

We hear such “phone home” capabilities are going to become more common, and already stories of cameras and laptops photographing perps and posting their pictures are common. While maybe not a deal sealer, it’s certainly not bad as extra protection for devices that retail for $1000 and beyond.

Do you have any home phoning success stories?

Are Cisco knockoffs a modern Trojan Horse?

So it’s not exactly breaking at this point, but scary nonetheless: The FBI’s Operation Cisco Raider has led to a number criminal cases involving counterfeit Cisco products bought by military agencies and contractors, according to the New York Times.

What’s so worrisome? Knockoff handbags and even iPhones aren’t a direct security threat, but fake Cisco routers might be, as the Times reports:

The potential threat, according to the F.B.I. agents who gave a briefing at the Office of Management and Budget on Jan. 11, includes the remote jamming of supposedly secure computer networks and gaining access to supposedly highly secure systems.

Cisco says we’re safe this time, and the counterfeiters’ motives are a little more pedestrian:

“We did not find any evidence of re-engineering in the manner that was described in the F.B.I. presentation,” said John Noh, a Cisco spokesman. He added that the company believed the counterfeiters were interested in copying high volume products to make a quick profit. “We know what these counterfeiters are about.”

Today, it might (hopefully) be about making a quick buck, but an Ars Technica article underlines some of the Pentagon fears about of so-called “Manchurian chips“:

There is no question that the technological infrastructure in the United States is under siege. We have seen a steady litany of attempted intrusions originating from abroad, most likely perpetrated by a mix of foreign governments and organized crime groups. An emerging concern is that the same agents behind those cyber-attacks could also have access to the chip fabrication facilities that make the components used in US military technology. Researchers say that virtually undetectable kill-switches and backdoors can be built into any of the countless integrated-circuit chips used in mission-critical military hardware systems.

So what can you do to make sure your own equipment is genuine? Not a whole lot, it appears. Amy browsed some forums for tips, but the best we could find was the old consumer adage: If a deal looks to good to be true, it probably is.

Open source networking hums along, quietly

Open source has been buzzing lately: Gartner identified it as one of the top 10 trends for 2008, and last week Microsoft announced it was publishing 30,000 pages of documentation for Windows Server 2008 and Windows Vista and launching an “Interoperability Initiative.” Google is pushing open applications and development of the new Android operating system, while Verizon claims to be opening its network.

In the networking industry, however, while open source adoption seems to be growing at a good clip, I don’t see much hoopla about it. So I’ll forgive you if you missed Shamus McGillicuddy’s article about the launch of ZipForge, a new website Alterpoint developed to support its ZipTie open source network configuration product. The ZipForge site provides a place where AlterPoint vendor partners can post interoperable ZipTie components that developers and users can download, review, and contribute to.

It would be great to see users take advantage of this repository to consolidate other networking-specific software tools, much like a true SourceForge (from which the new site partly takes its name) for networking pros. According to the article, networking has experienced less of an upsurge in open source because the technology itself is so reliant on hardware. While that may be true in a basic sense, software is becoming far more important and familiar. There are already several open source programs that networking folks use regularly, and that list is bound to expand.

Network engineers have long used open source software to run routers, VPNs and VLANs on run-of-the mill servers. Snort, OpenNMS, Nagios and Nessus are staples in networks big and small. And the popularity of Asterisk, the open source IP telephony platform, continues to grow in leaps and bounds.

Open source is definitely a part of the network, but I think that’s how most networking pros view it — as just a part of the network. They choose it because it works well, it interoperates, or it’s cheap, and they don’t get too caught up in the idealism and spreading the word about the benefits of open source. Also, most networking pros wear so many hats that they can’t spend a lot of time thinking about one system or product. They are even less likely to use that time evangelizing or flaming posts over at Slashdot.

I recall a network administrator I met a while back at a trade show. He had installed a few Vyatta routers, and he thought they were fantastic. But he was also in the throes of rolling out Avaya IP telephony to multiple locations and installing a new supply chain automation system. So while he was happy with his open source routers, they probably weren’t the first thing on his mind. The buzz about open source in the network is there, but sometimes you have to listen hard to hear it.

Network security concerns: Mo’ remote workers mo’ problems

When the network was built like a castle, located in one static location, it was easier to have perimeter defense–the castle walls, the moat and hill (i.e., the firewalls)–protecting the royalty… I mean, data. Nowadays, there’s more royalty (information) to keep track of and they don’t stay put within the safe walls of their core network/abode.

Needless to say, security is a primary networking concern (as was seen in a SearchNetworking.com survey conducted last fall polling more than 1,200 readers). I blame this largely on the increase of wireless (many wireless network security best practices are mysteries to most), the growing deployment of mobile devices (anywhere access), and the fact that not only are corporate devices travelling well beyond office-building walls, but the workers are too.

Sixty percent of enterprises have wide-spread remote access–where 50% or more of the workforce have remote access to the internal network–according to Yankee Group who surveyed 200 enterprises last summer. Senior Analyst of Enterprise Research in Network Security Phil Hochmuth of Yankee Group reported that three years prior, less than 25% of organizations supported wide-spread remote access.

With such an increase in such short amount of time, it’s no wonder network administrators are worried about how to secure and manage all these people. I realize I’m one of them: in the past three years, the companies I have worked for either allowed me to work remotely or involved me working from home entirely; I’m living this statistic, as many of you now are too, I’m sure.

Office space can be costly for an enterprise, and for the workers–so can gas, auto-repairs, and overall transportation. But on top of avoiding commutes, there’s a business benefit; mobile workers in jobs like sales or consulting, which require them to travel, are able to access data, fill orders more quickly, and quicken the overall pace of business transactions because they no longer lose as much time when they’re on the road. Unfortunately for the system administrator, all of this remote interaction puts stress on the network.

Hochmuth said “increased employee productivity is the main driver behind the move to open up internal networks for anywhere access, and SSL VPNs are emerging as the main tool enterprises use to provide this type of access.”

Independent research firm Amplitude Research commissioned by VanDyke Software found in their Fourth Annual Enterprise Security Survey that organizations are heightening their commitment to securing data communications. Secure remote access was the number one security management issue facing their company, according to their 2007 survey.

“The survey findings correlate to what we see happening in the field,” said Jeff P. Van Dyke, president and founder of VanDyke Software: “There’s a lot on the plates of the systems administrators, and with securing remote access a top issue and secure file transfer showing significant increase as a top issue to manage within the enterprise, VanDyke Software focused on new features for SecureCRT 6.0 and SecureFX 6.0 that make life in these areas so much easier for IT and network administrators.”

Hochmuth said “enterprises are literally opening up for business when it comes to supporting the ability of their employees to work from anywhere.” And VanDyke Software is one such company “opening up for business” to meet the needs of floundering network administrator’s who have to implement and support the increasing number of remote workers for their companies.

I suspect many more are aiming to follow suit.