Archive

Category Archives for "Security"

Slowloris all the things

At DEFCON, some researchers are going to announce a Slowloris-type exploit for SMB -- SMBloris. I thought I'd write up some comments.


The original Slowloris from several years creates a ton of connections to a web server, but only sends partial headers. The server allocates a large amount of memory to handle the requests, expecting to free that memory soon when the requests are completed. But the requests are never completed, so the memory remains tied up indefinitely. Moreover, this also consumes a lot of CPU resources -- every time Slowloris dribbles a few more bytes on the TCP connection is forces the CPU to walk through a lot of data structures to handle those bytes.

The thing about Slowloris is that it's not specific to HTTP. It's a principle that affects pretty much every service that listens on the Internet. For example, on Linux servers running NFS, you can exploit the RPC fragmentation feature in order to force the server to allocate all the memory in a box waiting for fragments that never arrive.

SMBloris does the same thing for SMB. It's an easy attack to carry out in general, the only question is how much resources are required Continue reading

Defending anti-netneutrality arguments

Last week, activists proclaimed a "NetNeutrality Day", trying to convince the FCC to regulate NetNeutrality. As a libertarian, I tweeted many reasons why NetNeutrality is stupid. NetNeutrality is exactly the sort of government regulation Libertarians hate most. Somebody tweeted the following challenge, which I thought I'd address here.


The links point to two separate cases.
  • the Comcast BitTorrent throttling case
  • a lawsuit against Time Warning for poor service
The tone of the tweet suggests that my anti-NetNeutrality stance cannot be defended in light of these cases. But of course this is wrong. The short answers are:

  • the Comcast BitTorrent throttling benefits customers
  • poor service has nothing to do with NetNeutrality

The long answers are below.

The Comcast BitTorrent Throttling

The presumption is that any sort of packet-filtering is automatically evil, and against the customer's interests. That's not true.

Take GoGoInflight's internet service for airplanes. They block access to video sites like NetFlix. That's because they often have as little as 1-mbps for the entire plane, which is enough to support many people checking email and browsing Continue reading

Transforming IT Security in Three Key Steps

Several years ago, the CEO of a Fortune 100 company remarked: “If you went to bed last night as an industrial company, you’re going to wake up this morning as a software and analytics company.”

Today, these words are more true than ever—but so is the reality that the digital transformation in business has also given rise to significant changes across the IT landscape and, in turn, significant new challenges for IT security.

As people, devices, and objects become more connected, protecting all these connections and environments has become a top priority for many IT organizations. At the same time, it’s also become one of their biggest challenges. Securing each and every interaction between users, applications, and data is no easy feat—especially when you consider that securing these interactions needs to be done across environments that are constantly changing and increasingly dynamic.

So how do you mitigate risk in a world where IT complexity and “anytime, anywhere” digital interactions are growing exponentially? For organizations that are embracing cloud and virtualized environments, three common-sense steps—enabled by a ubiquitous software layer across the application infrastructure and endpoints that exists independently of the underlying physical infrastructure—are proving to be key for providing Continue reading

Using Geolocation in Firepower Access Control Policies

The use of geolocation is fairly obvious in monitoring networks with Firepower Management Center. What may be less obvious is that Continents and Countries can also be specified as the source or destination of connections in an Access Control Policy. Basically, this geographical information becomes one more match criteria that can be used to identify traffic for a block or allow action.

To get to this capability, open the Access Control Policy that is in use by the Firepower device. Within the policy, open or create an applicable rule. On the network tab (where you configure the source and destination addresses) a Geolocation tab can also be found. Clicking on this tab exposes Continents and Countries. These can be added as sources and/or destinations.

ACPGEO

Note to reader: All Firepower content can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).

As can be seen in the diagram above, I am creating a rule to block traffic to France. Before I save and deploy the policy changes to the device, I will confirm reachability to an IP address that exists in that part of Europe.

Last login: Mon Jul 17 11:48:29 on ttys000
PAULS:~ pauls$  Continue reading

Capture w/Trace in Firepower Threat Defense

A few days ago I wrote an article demonstrating the Packet Tracer feature for troubleshooting Firepower Threat Defense. Another very cool tool for troubleshooting is the Capture w/Trace Feature. The power of this tool comes from both capturing a PCAP file (for Wireshark or your tool of choice) and a separate window pane that has a view of the device operation (very similar to the Packet Tracer output).

Similar to Packet Tracer, to initiate Capture w/Trace in the Firepower Management Console, choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt

Note to reader: All Firepower can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).

This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.

AdvTroubleshoot

Select the Capture w/Trace tab. The Add Capture button will allow for selection of filter criteria for the capture.

CapturewTrace

Add Capture

AddCapture

After filling out this information and choosing “Save“, an entry will be created for Continue reading

What is FlexConfig in Firepower Threat Defense?

Earlier this year, Cisco released Firepower 6.2.0. With that release came a feature called FlexConfig. Someone is digging around the UI might not initially understand the purpose or function of this configuration option. A really quick answer to this is that the user interface is incomplete when compared to the underlying feature capability found in Firepower Threat Defense.

A good way to better understand FlexConfig is to work through an example. Those with an ASA background will understand the modular policy framework (MFP). This feature exists in Firepower Threat Defense but its non-default configuration options are absent from the user interface. So if there is a need for a specific configuration, FlexConfig is the tool to complete this task. One use case might be the need to disable SIP inspection. In the ASA configuration, this would typically be as simple as the following.

policy-map global_policy
 class inspection_default
  no inspect sip

Since Firepower Management Console is GUI driven and is the UI for FTD, this is not an option. Ideally, there would be a complete menu system and API. Since this is not currently the case, FlexConfig is the tool that provides us an override of the defaults that aren’t exposed in the UI.

Continue reading

The Real Need for Cybersecurity

According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.

Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.

Maybe some are smug enough to think they cannot be affected–they have built resilient systems and have a diesel generator. Ever consider the likelihood of that fuel supply being available for the long term if there’s no electricity? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Maslow’s pyramid Continue reading

1 119 120 121 122 123 181