Unleash Networks Blog

Via the Matasano Security blog, I learned about the recent theft at CI-Host’s Chicago facility. We used to host with them in Dallas up until recently.

The Register Story 

In recent years, many IT administrators have found religion about installing security patches and deploying other measures such as intrusion prevention systems to keep criminals from accessing their systems and the data stored on them. The series of break-ins at C I Host is a reminder that safeguards must also extend to more mundane protections, including dead-bolt locks and steel cages.

We dont know who the suspects are, but let us consider the ramifications of an insider job in a datacenter.

Asset : Server running a e-commerce site. The server stores customer information (credit cards, addresses, phones) in an encrypted format in a database. The cost of the hardware itself is negligible compared to the value of the customer data. All transactions are via SSL (for example RSA 128 with RC4).  

Is this secure enough against a burlary ?

No ! The burglar could arrange for packet capture for a day or two in advance. Remember he is an insider. This is quite easy using a simple optical splitter or network tap. After the burglary he can explore your webserver at leisure for key material. To minimize this risk :

1. Do not store unencrypted private keys. Enter the password when apache (with mod_ssl) starts up instead. This may be a pain when services are automatically restarted, such as after a crash. It is just too bad, you have to arrange for a human to attend to such events. Use a SMS notification service to be alerted after a crash at a data center.

2. Contact your certificate issuer immediately and revoke all certificates issued to you that were compromised. You may have to pay for new ones.

The long term solution is of course Perfect Forward Secrecy 

If available, always use the Ephemeral Diffie Hellman (DHE) key exchange. DHE offers perfect forward secrecy and is probably suitable for low to medium volume websites. Once DHE support is widespread among webservers, you can also setup your site to do your shopping carts using RSA, but renegotiate to DHE when transferring financial information. (See “How to renegotiate stronger ciiphers for a particular URL“)  This can reduce the load on your servers.

Unfortunately, DHE support does not appear to be ready in Firefox and IE (I could be wrong). Netscape Security Services (NSS 3.11) which is used by products such as Firefox 2.0, Mozilla, does not seem to support Ephemeral Diffie Hellman as a key exchange algorithm. The tables on the NSS website however claim that ciphers such as TLS-DHE-RSA-with-AES-256-CBC-SHA are supported on the client side only. Does this mean tools like Firefox which only require client-side functionality will support DHE shortly ? We have to wait and see.

In summary,

• Pay attention to the SSL/TLS infrastructure you have in place.
• Minimize impact of traffic capture that might have occured just prior to the physical theft. (Use PFS, do not remove passphrases from private keys, revoke certificates immediately)
• Do we need armed human security guards ? The banks have them.

 

Recently we received an email from a user saying they were having trouble with IPv6 traps. Hopefully the folks (esp in Japan) who are running IPv6 networks will find this post useful.

Unbrowse SNMP is a passive receiver

Unlike other trap receivers, Unbrowse SNMP performs passive trap reception. It can listen to random traffic and extract only SNMP traps from it. It is not necessary to change the router configuration to send IPv6 traps to the machine running Unbrowse. As long as the trap network traffic is visible to the machine running Unbrowse, things will work. You can use techniques like port spanning to make traps visible to Unbrowse. This allows you to monitor any mix of IPv4 and IPv6 traps, sent by any agent to any manager. All this happens right out of the box!

Note : You can also fallback to the ‘classic mode’ where Unbrowse SNMP acts as a trap receiver daemon. It opens up a UDP socket and listens to traps sent to that socket. Go to : Tools -> Customize -> Trap Console and select “Normal UDP Socket” as the preferred provider.

How to use ?

1 First download and install the latest version of Unbrowse SNMP

2 Install Winpcap from here

3 Start Unbrowse and press the Trap Console button

4 All traps seen by the machine running Unbrowse SNMP will now be shown.

5 You can create agents with IPv6 addresses via Agents->Manage

6 You can also create IPv6 address based filters via Traps->Manage Filters

Feedback welcome via email at : 

We just released a new build of Unbrowse SNMP R1.5.

Apart from bug fixes this release contains some new features:

1. SNMP Poller Charts enhanced

2. Remote Trap browser enhanced

3. MIB packages updated (All the latest Cisco MIBs (30MB), install in 1-click)

SNMP Poller Charts

Unbrowse SNMP already features a very powerful real time poll chart. You can track any number of objects in any number of windows. You can also track the same object from different routers in a single chart.

Figure : Float tiny poll windows on your desktop

The new release makes the poller even more powerful.

Float poller windows outside the Unbrowse SNMP main window. You can leave these little poll windows on the corner of your desktop while you do your other work. How to ? Click on the “Float icon” on the toolbar

Save/Restore state of poller windows : To start a poll you must first select an object you want to track from the walker sheet, then press the “Track” button. Once you have your favorite pollers up and running, you can select “File -> Save Chart State”. This saves everything about the poller including window positions, sizes, objects. Next time you start Unbrowse SNMP, you can just select “File -> Restore Chart State”. Voila ! Everything is back again.

Continuous tracking : Some users leave the poller running for weeks, but they are interested only in the most recent 24 hours or so. You can now adjust the time window. Select “Tools->Customize->Advanced->Walker”. Then adjust the “Poll Chart Time Window  (hours)”. If you want to track only the most recent 2 days, set the value to 48 hours. If you want to track infinitely, set the value to 0 (this is the default)

 

Remote Trap Browser

The SNMP Trap Console allows you to passively monitor SNMP Trap Activity on your network. Unlike other receivers, you do not have to make any changes to your network elements. Just span a port and Unbrowse SNMP can see everything !!

The remote trap console feature allows you to use a web browser to remotely check trap activity. Unbrowse is installed in the data center and connected to a tap or a span port. This feature allows network admins to to view the traps remotely without having to make a trip to the data center.

Figure : Drop down lets you browse all traps

Faster loading : The previous version had upto 8 seconds delay while retreiving a screenful of traps. This was due to a problem with the way the stylesheet was being retrieved. Now, traps load much faster.

Browse traps : In cases, where Unbrowse SNMP has tens of thousands of traps, we want to show the most recent 100. We also want the user to be able to view the others. The new release paginates the HTML page returned. The user can select any page from the drop down list and access those traps.

Download now. This update is free for all current customers of Power Features.