Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.

Whats cooking ?

May the new year 2008 make all your wishes come true.

 

A sneak peek at early 2008

To our many Unsniff Network Analyzer users, our latest build is over 10 months old, we realize that. You can expect a new release shortly which will integrate many tools like our VoIP Analyzer, TCP Congestion Analyzer, and drill down statistics. We are also planning a brand new user interface for Vista. There is also a major surprise in the next release !

Unbrowse SNMP is close to feature maturity. We will release 2.0 in the middle of the year. One of the planned features is to forward traps via SMS messages. We welcome more suggestions.

Bug fix and minor enhancements will happen regularly.

Thanks for your support & stay tuned.

New MIB Compiler screencast

One of the common complaints about Unbrowse SNMP is, compiling enterprise MIBs is too unintuitive.

To compile in a MIB :

1)   You had to right click on a tree and select Add MIBs..

2)   If there were any errors, you had to do the whole thing again, instead of just fixing the error and pressing a single key.

We just released a new version of Unbrowse SNMP today that allows you to open any MIB file and compile it by simply pressing F7. You can edit it again, and press F7 to recompile it and have the changes reflected instantly in the MIB Browser window.

Here is a screencast of how this works (opens in new window) !

f7compile.jpg

 

Download today. This feature is completely FREE – no strings attached, does not expire.

Physical security first !

Via the Matasano Security blog, I learned about the recent theft at CI-Host’s Chicago facility. We used to host with them in Dallas up until recently.

The Register Story 

In recent years, many IT administrators have found religion about installing security patches and deploying other measures such as intrusion prevention systems to keep criminals from accessing their systems and the data stored on them. The series of break-ins at C I Host is a reminder that safeguards must also extend to more mundane protections, including dead-bolt locks and steel cages.

We dont know who the suspects are, but let us consider the ramifications of an insider job in a datacenter.

Asset : Server running a e-commerce site. The server stores customer information (credit cards, addresses, phones) in an encrypted format in a database. The cost of the hardware itself is negligible compared to the value of the customer data. All transactions are via SSL (for example RSA 128 with RC4).  

Is this secure enough against a burlary ?

No ! The burglar could arrange for packet capture for a day or two in advance. Remember he is an insider. This is quite easy using a simple optical splitter or network tap. After the burglary he can explore your webserver at leisure for key material. To minimize this risk :

1. Do not store unencrypted private keys. Enter the password when apache (with mod_ssl) starts up instead. This may be a pain when services are automatically restarted, such as after a crash. It is just too bad, you have to arrange for a human to attend to such events. Use a SMS notification service to be alerted after a crash at a data center.

2. Contact your certificate issuer immediately and revoke all certificates issued to you that were compromised. You may have to pay for new ones.

The long term solution is of course Perfect Forward Secrecy 

If available, always use the Ephemeral Diffie Hellman (DHE) key exchange. DHE offers perfect forward secrecy and is probably suitable for low to medium volume websites. Once DHE support is widespread among webservers, you can also setup your site to do your shopping carts using RSA, but renegotiate to DHE when transferring financial information. (See “How to renegotiate stronger ciiphers for a particular URL“)  This can reduce the load on your servers.

Unfortunately, DHE support does not appear to be ready in Firefox and IE (I could be wrong). Netscape Security Services (NSS 3.11) which is used by products such as Firefox 2.0, Mozilla, does not seem to support Ephemeral Diffie Hellman as a key exchange algorithm. The tables on the NSS website however claim that ciphers such as TLS-DHE-RSA-with-AES-256-CBC-SHA are supported on the client side only. Does this mean tools like Firefox which only require client-side functionality will support DHE shortly ? We have to wait and see.

In summary,

  • Pay attention to the SSL/TLS infrastructure you have in place.
  • Minimize impact of traffic capture that might have occured just prior to the physical theft. (Use PFS, do not remove passphrases from private keys, revoke certificates immediately)
  • Do we need armed human security guards ? The banks have them.

Â