CIPP Guide » IA

Secure Messaging Gateway: An Ironport Review

jbrook — Wed, 26 Mar 2008 13:38:00 +0000

Over the weekend, I did a lot of reading on a company in the mail gateway business called Ironport. I mean a lot of reading. This was another consolidation (see Why behemoths buy startups & March 08′s Information Security Magazine’s Schneier/Ranum Face Off), with Cisco snatching up the market leader.

I read about capabilities, product offerings, market penetrations, strategic positioning, competitors and magic quadrants. All of this was at the urging of a friend of mine at Cisco, and how this product would drive profits for the company for the next several quarters.

I did a similar exercise for my boss with respect to Postini, and their SOA mail security capabilities purchased by Google in 2006 (More on Postini in a future post). I expect his interest is due to the encrypted email gateway.

So what did I learn. First, both of these guys lay claim to reputation based filtering. One holds the patent (Postini, more on this in a later post) and one has it widely implemented, maybe even longer than the patent was applied for (if so, of course that would invalidate the patents).

Gartner thinks Postini would only use those patents defensively. I wonder what would happen if a new Executive management team came in at the search giant… Cisco has deep pockets, but Google’s “do no evil” mantra should keep this out of litigation. Why? Because Ironport gateways are installed worldwide, and their reputation filters handle 5 Billion email messages. Per day! They calculate that’s over 40% of the mail traffic worldwide. From that traffic analysis, they push threat updates in near real time (every 5 mins).

I’d say that is doing no evil. John Chambers likes monopolies. Ish (for the Justice Department and the Sherman Anti-trust Act). Cisco has 80% of the router and switch market. A lot of companies say ‘Does it have a Cisco tag on it? Yes? Then it can come into my network…’

In addition to the reputation filters, Ironport has several other unique features. They built their gateways on a modified FreeBSD OS they call AsycOS. AsycOS’ security includes a limited port attack surface, reputation based filtering at the connection level, an LDAP/Active Directory integration that drops mail for invalid addresses without the Exchange & Notes wasting their CPU cycles and disk space. Performance enhancements include a non-blocking I/O write cache (disk access IO is their major bottleneck), and intelligent mail transfers (check to see if a domain is up before sending), and per receiving domain message queuing. Lastly are the management features, including an intuitive, web based GUI (it really is pretty simple), a three tiered rule set deployment, and a peer-to-peer control structure. For disconnected users, there’s also an email gateway. And of course, they have tons of case studies from recognizable names like Dell, Virgin, Ryder, Johns Hopkins, etc…

I expect Cisco will increase Ironport’s distribution throughout the messaging space. Now we just need Microsoft to buy Tumbleweed (the other upper right magic quadrant product) and the big mergers and acquisitions will be complete.

Want to hack ANYONE's computer? Just follow Microsoft's lead!

jbrook — Thu, 13 Sep 2007 23:31:00 +0000

Original Post on 13-Sep-07 7:37pm:

In an interesting move today, it is reported that Microsoft is silently updating Windows XP and Vista. I emphasize silently. Remember Sony’s rootkit debacle? There are no reports of problems, but when my machine mysteriously decided on its own that it was time to reboot in the middle of a presentation, it made me look bad, and question my IT staff. We don’t have auto update turned off, but several of our customers do because of patching and regulatory restrictions. And this patch occurs even in the instances where customers turned off Windows Update!

Lo and behold, Microsoft itself granted privileges on every single XP and Vista system. With all the discussions about how trustworthy and secure new versions of Windows are, and the publicity surrounding Sony’s music CD installations, it stands to reason that Microsoft would not want this capability under any circumstances.

So what does this imply to an information security professional? A back door. Cisco, Symantec, and McAfee all claim their security products are rock solid, and because of encryption, digital rights management, and other safety precautions are safe to use. In their NACAttack presentation at Black Hat 2007, Dror-John Roecher and Michael Thumann showed just how safe Cisco’s security protections are, and how complexity breeds difficulty in security. Cisco puts in a ton of security measures so that hackers can’t connect to the network, and these researchers cracked it. Why make it any easier for an attacker, by giving them yet another vector to “update” files in the Operating System.

I don’t care if all of this is for the betterment of my computer experience; if I don’t want it, or insist you ask me about, you’re obligated to do just that. Explain the risks to me, then ask if I’d like to install it now. That way, if I’m in the middle of a presentation for a multi-million dollar sale, I can quietly decide that now’s not the best time for an update.

Want not be hacked? Security Vendors – why less is more!

jbrook — Mon, 10 Jul 2006 18:07:00 +0000

Original Post on 10-Jul-06 5:30pm
The IT industry loves advanced technology, even to the point of gadgetry. Some immature technologies are adopted simply for the gee whiz factor. Others have a specific niche application, and are money well spent. The IT staff spends time and effort integrating the new application into the enterprise architecture, and then rolls out the first release. Security in the past relied on these new, hot technologies; they were stand-alone, and the architects selected the best of breed product after a trade study or bake-off.

This methodology worked well in the past; each new piece added received its own separate command and control structure and performed its stove-piped duties. Routers begat Firewalls begat Anti-virus begat IDS begat… IT spent more time distilling information, managing products and filing RFPs, and less time making the company more efficient/profitable/secure. Other niche vendors offered Security Incident Management products, hoping to ease the burden and consolidate Syslogs and IPS reports from disparate sources. This produced another product management specialist or further taxed the existing staff.

As happens with maturing industries, vendors consolidated (see Why the Behemoths Buy Startups – The Business of Research & Development and Fortune 500′s.) The larger companies’ integrated products became more easily managed, required less staff, and fewer end operation center consoles. The new product line also reduced operations center specialization. And yes, for you back-office folks, from a business perspective this lower cross-training is a benefit. Have you ever seen the pay checks for a really good UNIX admin?

Single vendor implementations have one other major advantage: outsourcing. A mid-sized restaurant business doesn’t make money on the latest security roll-out, and would be better served paying lower total ownership costs to someone else familiar with those services. The Managed Security Service Providers are more than happy to oblige. MSSPs like dealing with a specific product set. They will take an upfront hit on replacing a few customer security products with their preference for later recurring revenue streams. Replacement simplifies their monitoring through use of the single vendors management and reporting tools bundled with products. And they can claim the latest releases with minimized testing and upgrade headaches. After all, the single vendor is responsible for the interoperation.

Some readers may ask: “What about the best of breed? Firewall product X is 15% more efficient at 95% bandwidth utilization and…” or “Antivirus product Y has 12 more virus signatures with…”. One word: commoditization. Honestly ask yourself, by the time a head-to-head comparison reaches print, do you think Cisco, Symantec, or Microsoft have not already incorporated/road mapped whatever features they lacked? Major vendor mitigation strategies or defense in depth approaches abound, and the small players will not hold the top spot for long. They will be bought, or made inconsequential, as a great idea that everyone else incorporated. Ask the product set vendors. They’re more than happy to tell you how they’ve already overcome those anomalies. Their products are “good enough”, and will surpass any competitive deficiencies through sheer programming muscle

This single vendor solution is by no means perfect. Each new acquisition requires a release just to change the startup screens and badging. After the first major revision, the acquirer’s developers typically figure the new product out, and harmony returns to the vendor’s product set. The “commodity feature” incorporation into existing products may likewise take a programming cycle, maybe even two. Your individual product security may suffer slightly, but the tools working in concert produce a higher security, complete solution. The advantages far outweigh the detractors.

Hacking "Linked-In": Working around the social part of social networking

jbrook — Wed, 14 Jun 2006 22:50:00 +0000

Original Post on 14-Jun-06 4:50pm
I use “Linked-In” for a social networking, and online contact management tool. It’s quite convenient, nearly a true peer-to-peer instantiation of a friend of a friend tool (at least in the free version) and pretty indicative of most of these sites. In order to connect with someone, you either must have their email address and send them an invitation, or ask someone you’re already connected with for an introduction, all brokered by Linked-In. I say nearly a true peer-to-peer social networking tool, as there are a couple of ways to bypass their system. Take a look at the following “Linked-In” profile:

Computer & Network Security Professional
Greater Los Angeles Area | Computer & Network Security
Experience:
Sales
Northrop Grumman
Computer & Network Security Industry
1985 – Present (21 years)
Business Development Manager
Lockheed
Computer & Network Security Industry
1995 – 2006 (11 years)
Business Development Manager
Boeing
Computer & Network Security Industry
1995 – 2006 (11 years)
Business Development Manager
Northrop
Computer & Network Security Industry
1985 – 2006 (21 years)
Business Development Manager
Blue Lance
Computer & Network Security Industry
1995 – 2006 (11 years)
Sales
Decision One
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
Pacific Bell
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
DecisionOne
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
SBC
Computer & Network Security Industry
1995 – 2005 (10 years)

I received this yesterday as a “Colleague” connect request. If your years at a specific company or school overlap with someone else, a feature within the site allows a bypass mechanism. Your message is automatically sent without any outside broker (introducer/friend) or previous knowledge (an email address). It appears that this gentleman was a very rich, and very busy boy. In fact, since 1985, he “worked” at 7 major companies simultaneously. The only people I know afforded that sort of leeway are consultants, and they aren’t business development managers (the SEC frowns on this, something about overlapping strategies and oligopolies). All of his employers are in the Computer & Network Security Industry, and security’s a hot market, so my guess is, he’s a head hunter, or maybe a mass marketer selling niche email lists. Or maybe, he’s a corporate spy. Probably not, but that’s the security guy in me.

I bring this up for user education. I personally found several University classmates I hadn’t talked to in over 10 years through this same feature. And there is a temptation for networking with this guy; it appears over 177 people accepted his invitation. The only question really is how many of them he actually knows. Thankfully, you still have to choose to link with your contacts. Linked-In gives you the option of reporting the user for agreement violation. Just think before you click. If it doesn’t look right, it probably isn’t. What’s a social network if there’s no value in who you’re connected with?

Are you at risk? Bogus Entries on Networking Sites & it's impact on personal branding

jbrook — Tue, 13 Jun 2006 01:24:00 +0000

Original Post on 12-Jun-06 9:24pm
The Information Assurance (IA) industry is quite small; the same major players are known throughout everyone’s circles. Gene Spafford is the GodFather. His legendary research into the security arena influenced most (read all) computer science/engineering students since before my time, and his contributions through Purdue’s CERIAS department still push IA research. Martin Roesch designed the Snort Intrusion Detection System, considered by most as the only open source IDS deployable in a true operational environment. And Stephen Northcutt, the Director of the SANS Institute and originator of the SHADOW IDS from the Dahlgren Naval Surface Warfare Center, advertised by many as the first Network IDS. All of these men are well connected, and their reputations don’t do their contributions justice.

So recently, in the midst of finishing my graduate studies and a shakeup within my current company, I thought it might be a good idea to clean up my resume. I’ve written a few papers, passed a couple of certifications, and spent time with a few companies. When I do a vanity search, I come up with a half dozen hits. Not bad, but those hits don’t cover most of my work. In the wake of my recent schooling on the importance of marketing, I decided I should begin building my personal “brand”. That’s about the time I received an invitation to join “Linked-In” from a former colleague, and I started examining the networking sites. What a way to rediscover my contacts! Linked-In claims 6 Million users. The US has a population of roughly 240 M. And think who actually joins these networking sites: Information Technology or other well heeled white collar workers. I went through my stack of business cards, and found 100 or so people I’d met, be them vendors, University contacts, or colleagues. Each person that joined added a couple more names I recognized, and everything kept growing.

Now for the funny part. Remember about the size of the IA industry. The major players were already on the site. I sent them invitations, and received word back from most of them. Until Northcutt. I found him on the site, and posted the invite, expecting a quick note back saying hello. Instead Stephen Northcutt writes: “For real, I am not a member of LinkedIn, that is weird.”

I sent him a copy of “his” profile, to which I received: “That is awesome, and that was my job title back in 2004. Anyway, I promise I am not a linked inner”. I started thinking about what could actually happen with irresponsible/malicious use of these sites. What could branding theft hurt? I could see networking impersonation benefits, people sending invites based on your status/reputation… They put together a huge email list of the best/brightest of your contacts, those that are the most “linked-in”. What happens when they ask for introductions, based on your title and prestige, to other top connections. Think about “you” asking Spaf or Marty for introductions to their 600 or 1000+ contacts. Or better still, a VC evaluator, someone like Becky Bace, another IA heavy weight. Your contacts happily oblige the introductions. It’s no longer a cold call for the imposter.

The reason I bring this up is simple. These are security experts. Stephen has a list of accomplishments that most people dream of for an industry reputation. I mean, he started an Information Security training institute. How would he ever know he’d been duped? And how would it be corrected? If the security experts miss this, what about you?