Next Generation Firewalls: It’s all about tuples

By Michael Kassner
November 28, 2011, 11:23 AM PST

Takeaway: Next-generation firewalls have been around for several years, but garnered little interest. That’s changing as first-generation firewalls aren’t keeping up.

IT professionals responsible for perimeter defenses are frustrated.

Case in point: Internet traffic of all shapes and sizes traverses port 80. Meaning, port 80 must remain open. Bad guys know this. So port 80 becomes their private malware highway. And trucks, full of malcode, drive right past the check point.

There is hope

I’d like to introduce Next Generation FireWalls (NGFW). Firewalls designed to filter packets based on applications. To continue my analogy, the trucks loaded with malcode can’t drive right past the check point, any more.

Other features incorporated in NGFWs:

  • Enforce company regulations: NGFWs are able to control user access to websites and online applications as required.
  • SSL Proxy: NGFWs are able to decrypt, inspect, and re-establish the encrypted SSL connection. This eliminates encryption as a method of hiding malware.
  • IDS/IPS: NGFWs have incorporated deep packet inspection-to the point where stand alone IDS/IPS devices are not required.
  • Active-Directory friendly: Many NGFWs are able to authorize application usage based upon individual user profiles or groups.
  • Malware filtering: NGFWs provide signature and reputation-based filtering to block malicious applications that have a bad reputation.

Click to enlarge

Vendors

Palo Alto Networks was the first company to offer a NGFW. For information about NGFW requirements per Palo Alto Networks, please check out this white paper (above slide). Barracuda Networks, Juniper Networks, and WatchGuard also offer NGFW solutions.

N-tuple?

Just about every blog post I’ve read about NGFWs mentioned tuples. I had no idea what they were. Hopefully, you do. If not, here’s what I found out.

N-tuple is a collection of attributes. And, in the case of firewalls, these attributes are used to define access requirements. N is a place holder representing the number of attributes in the list. For example, a 5-tuple “firewall allow rule” might include:

  • Source IP address
  • Source port (typically: any)
  • Destination IP address
  • Destination port (80 or 443)
  • Destination protocol (typically TCP)

So, if the packet being inspected has all of the correct attributes, the firewall will allow it to pass.

Widening the 5-tuple

I thought I was “good to go” after figuring out what a tuple was. Then I read something about “widening the 5-tuple”. Widen a tuple. Does that even make sense?

Let’s see if it does.

As mentioned earlier, a first-generation firewall rule employs a collection of 5 attributes or 5-tuple. That is sufficient to carry out stateful port and protocol inspection, Network Address Translation, and Virtual Private Network technology.

A 5-tuple rule set is not sufficient for NGFWs. Next Generation Firewalls need additional attributes such as application type and user identity in order to work as advertised. To understand why, consider the port 80 analogy, one last time.

If it’s discovered that the truck carrying malcode has an illegal license plate, the truck ain’t going anywhere. The same applies to malcode. If its license plate — “application type” attribute — is incorrect, the malcode is blocked from continuing on.

The additional attributes or tuples are “widening the 5-tuple”.

Confession time: I did not find a clear-cut explanation of how tuples relate to firewalls. But, article after article mentioned tuples. So, I jumped in. If my explanation is wrong, I hope firewall and database admins that better understand will bail me out.

Survey says

The Ponomen Institute just completed a survey of NGFWs for SourceFire, Inc. The infographic ( partially shown below) provides several interesting statistics, particularly what is driving interest in NGFWs and the percentage of respondents noticing performance degradation:

Final thoughts

The race toward sophistication between malware and antimalware continues. Stay tuned

Microsoft Boasts 90,000,000 Windows 7 Sold


Windows 7: Over 90 Million Served.

Even when Windows 7 launched into a warm reception (and brisk sales), Microsoft didn’t reveal exact sale numbers for its new OS – until today.

Microsoft CFO Peter Klein announced at the Morgan Stanley Technology, Media & Telecom Conference that Windows 7 has sold 90 million licenses to-date.

Up until recently, Microsoft’s company line when boasting about Windows 7 sales is that is the fastest selling operating system in history, but without any accompanying number.

Windows 7 Anti-Piracy Update Now Live

New patch checks for more activation hacks.
Earlier this month, we detailed that Microsoft was prepping a Windows 7 Update that would improve Windows Activation Technologies to detect more than 70 known and potentially dangerous activation exploits.

Those paying attention to their Windows Update will see that the patch KB971033 is now live. It’s not explicitly named anything to do with Windows Activation Technologies, as it’s simply termed as an «Update for Windows 7.»

Microsoft previously pointed out that this update is completely voluntary and users can decline the update when it appears (though we can’t imagine why legitimate users would worry). Of course, if a hack or exploit is found, Windows 7 will alert the user by removing the desktop background and pop up periodic reminders of just how non-genuine it is feeling.
Read more about the patch here.

Microsoft Help: How to Install, Reinstall, Upgrade or Uninstall Windows

Install, reinstall, upgrade or uninstall Windows – a new Microsoft Windows webpage providing information for when you need to Install, Reinstall, Upgrade, or Uninstall Microsoft’s Windows. (Thanks Chris)

INSTALL WINDOWS:  If you’re installing Windows for the first time on a new computer and you don’t have any existing version of Windows to remove, upgrade, or replace.  To install Windows and keep an earlier version of Windows on your computer, click on: Install Multi-boot

Install Windows XP or Install Multi-boot
Install Windows Vista or Install Multi-boot
Install Windows 7 or Install Multi-boot (More Info)
 

UNINSTALL WINDOWS:

How To Lock Idle Computer Automatically

Lock How many times you left the computer without locking and worried that someone is going to sneak into your personal mails & documents? At office many of us face this problem quite often.

How about locking the computer automatically when left idle for sometime? Well that will be very helpful. To lock a computer automatically we don’t need any software or special tools. All we need to do is to set a screen screensaver and configure it to ask for password on resume. That’s a very simple solution right?

In all the versions of Windows Operating systems (XP, Vista, Windows 7, etc), it is possible to configure to activate a screensaver after a desired amount of idle time and ask for password on resume.

The below screen capture of Windows 7 shows the configuration settings required to automatically lock the PC after 5 minutes of idle time(in other versions of Windows the options are more or less same)

lock_computer_automatically_after_some_idle_time

I’m not a big fan of screensavers also I consider it’s little annoying to set flashy screensavers at work place. So I choose Blank as the screensaver

Find Model Number and Serial Number Of Your Computer Using DOS Commands

Desktops and Laptops purchased from manufactures like DELL, IBM, etc comes with a serial number(or service tag) and a model name. If you ever loose this information, then you can use MS DOS commands to retrieve the information

To retrieve serial number of the computer run the following command

wmic bios get serialnumber

To retrieve model name of the computer run the following command

wmic csproduct get name

Universal phone charger OK’d

Micro_USB_Charger (Universal Charger)

Micro_USB_Charger (Universal Charger)

A standard for a universal phone charger was approved this week by the International Telecommunication Union, a branch of the United Nations.

Side by side view of a Micro-USB connector and a regular USB connector.
(Credit: Wikimedia Commons)

The Universal Charging Solution will enable the creation of one-size-fits-all chargers that can be used on any future phone, according to the ITU.

The standard is based on input from the GSM Association, which expects the shift to eliminate 51,000 tons of redundant chargers, or 13.6 million tons of greenhouse gas emissions each year.

Based on Micro-USB, the new chargers will also be energy efficient.

“Universal chargers are a common-sense solution that I look forward to seeing in other areas,” Malcolm Johnson, director of ITU’s telecommunication standardization bureau, said in a statement.

Manufacturers are not required to adopt the new chargers, but some have already signed up, such as Sony Ericsson, according to the BBC.

Control XP’s Autorun Script (Disable Autorun Script) (link updated)

Note:- (Link updated Download Available)

Disable Autorun Script

76805t

Disabling the Windows XP Autorun feature using our downloadable custom script can help protect you from worms and other malware. Many security experts recommend turning off the Autorun feature to stop a common malware tactic of infecting a removable drive, such as a USB drive, so that it will automatically attempt to spread malware when the infected USB drive is connected to a new PC.
This script will change the Windows registry. To use it, download the file and double-click it. If you want to reverse the change, download and run the re-enable script.
Note that with Autorun disabled, you’ll no longer get an automatic installation prompt when you insert a program’s installation CD or perform similar Autorun-dependent tasks. Instead, you’ll need to double-click the installation or other program on the CD or removable drive yourself. Also, there have been reports of potential problems with U3 thumb drives when Autorun is disabled. Should you wish to restore Autorun, use our Restore Autorun script.
If you use Windows Vista and want to disable Autorun, see Microsoft’s somewhat techie-oriented Vista instructions.

To use it, unzip the download and double-click the DisableAutorun.reg script.

DOWNLOAD

Restore Autorun Script

76806t

Disabling the Windows XP Autorun feature using our downloadable custom script can help protect you from worms and other malware. But if you’ve run into any problems from doing so, you can reverse the changes by downloading and double-clicking this restoration script.
Both the disable and re-enable scripts automate steps suggested by Nick Brown and further recommended by the United States Computer Emergency Readiness Team (US-CERT) to improve security on a Windows XP computer.

DOWNLOAD

To use it, unzip the download and double-click the RestoreAutorun.reg script.

10 Common mistakes you should avoid when flashing your BIOS

The BIOS is critical to your computer’s proper operation. It’s the first code executed at start-up, and it defines how your motherboard will communicate with the system’s hardware. Flashing the BIOS is not for the faint of heart, but by taking the proper precautions and planning for the worst-case scenario; your chances of a successful upgrade are greatly improved.

In this Post, I show you how to safely flash your BIOS and point out the following 10 mistakes to avoid:

  1. Misidentification of your motherboard make/model/revision number
  2. Failing to research or understand the BIOS update details
  3. Flashing your BIOS for a fix that is not needed
  4. Flashing your BIOS with the wrong BIOS file
  5. Using an outdated version of the manufacturer flash utility or tool
  6. Not following or understanding the motherboard manufacturers specific directions
  7. Flashing your BIOS without an UPS or at higher risk times
  8. Flashing the BIOS from within Windows with other applications running
  9. Flashing an overclocked system
  10. Failing to have a recovery plan if the BIOS flash fails

After watching the video, you can learn more about the safe way to flash your BIOS by reading Alan Norton ’s article, “10 common mistakes you should avoid when flashing your BIOS”–the basis for this video.

10 common mistakes to avoid when you’re installing Linux software

Installing software in Linux is nothing like it used to be, but there are still some pitfalls to watch out for. If you follow this little guide, your Linux life will be made simpler and safer.

Note:
Author : Jack Wallen’s
This information is also available as a PDF download.

#1: Installing from source when your system is primarily an .rpm or .deb system

Many new Linux users don’t understand that both rpm and apt (or dkpg) keep track of everything installed on the system. However, those systems (rpm, apt, and dkpg) can keep track only of packages they install. So when you find that obscure package that comes only in source and you compile it yourself, your package management system will not know what to do with it. Instead, create either an .rpm or .deb file from the source and install the package with the package management system so that system will be aware of everything you have installed.

#2: Neglecting the many graphical front-end package management applications

Most people don’t even realize that there are graphical front ends that take a lot of the guesswork out of installing packages in Linux. For yum (the command-line package management system for rpm), you can use Yumex for yum (installed with yum install yumex); you can use Synaptic or Adept for apt (installed with apt-get install synaptic or apt-get install adept).

#3: Forgetting to update the list of available packages

When using apt-get or yum, make sure you’re updating the list of available packages. Otherwise, your system will not remain updated with the latest releases of installed packages. To update with apt-get, you issue the command apt-get update. To update with yum, issue yum check-update.

#4: Not adding repositories for yum or apt-get

Both yum and apt-get use a listing of repositories that tell them where to locate available packages. But the default repositories (often called “repos”) do not include every Linux package known to Linuxkind. So if you run the command to install an application, and yum (or apt-get) can’t find the package, most likely you’ll have to add a repo to your sources listing. For yum, the sources are in /etc/yum.conf. For apt-get, they are placed in /etc/apt/sources.list. Once you have added a new repo, make sure you run the update so either apt or rpm is made aware of the new source.

5#: Not taking advantage of installing from a browser

Just as with Windows, when your system sees you are attempting to download an installable application, you’ll be asked whether you would like the package management system to attempt to install the file or just save it to disk. In both instances, you will be asked for the root password (so you must have access to said password for this to even work). One thing I’ve always like about this method (be it in a yum-based or dpkg-based system) is that it has almost always been good about locating and adding dependencies.

Naturally, this method works only when you are downloading a file that’s applicable to your system. If you attempt to download an rpm file on a Debian-based system, you won’t have the option of installing the file.

You can take this one step further and select the Always Do This… check box in the Firefox popup so that every time you download a file associated with your package management system, it will automatically prompt you for your root password and continue to install the package. This streamlines the process quite a bit.

#6: Forgetting the command line

Let’s say you’ve installed a headless server using Ubuntu or Debian (a common setup for Linux servers) and haven’t installed any of the graphical interfaces or desktops. To do any maintenance, you have to log in via ssh (because no admin would log in via telnet) and are limited to the command line only. Even so, your ability to keep your system updated or install new applications is not limited. You can still use yum or apt-get to manage your packages.

With a Debian-based system, you have another option: Aptitude. From the command line, issue the command aptitude and you will be greeted with a nice curses-based interface for apt. This system is easy to use and gives you an outstanding option for maintaining a gui-less server without losing functionality. Aptitude lists Security Updates, Upgradeable Packages, New Packages, Not Installed Packages, Obsolete Packages, Virtual Packages, and Tasks. As you scroll through the list, you will not only get the installed vs. the new package release numbers but also a description of the package. After using Aptitude, you will quickly see how simple updating Linux packages can be, even from the command line.

#7: Blindly unpacking tar files

I can’t tell you how many times I have downloaded a source package and without thinking, untarred the package not knowing its contents. Most times this works out fine. But there are a few times when the package creator/maintainer has failed to mention that the entire contents of the package are not housed in a parent directory. So instead of having a newly created directory housing the contents of the tar file (which can contain hundreds of files/directories), those files are blown up into the directory you unpacked them into.

To avoid this, I always create a temporary directory and move the tar file into it. Then, when I unpack the tar file, it doesn’t matter if the contents are contained within their own directory or not. Using this method will save you a LOT of cleanup in those cases where the creator didn’t pack everything in its own neat directory.

#8: Deleting those make files

When you’re installing from source, you’ll probably run make clean to get rid of all of those unneeded source files. But if you get rid of the Makefile, uninstalling will be a hassle. If you keep it, you can usually uninstall the program simply by issuing make uninstall from the directory housing the Makefile. A word of warning: Don’t dump all your Makefiles into one directory. First rename them so you know which application they belong to. When you want to uninstall the application, move the Makefile to another directory, rename it to its original name, and then run the uninstall command. Once you’ve uninstalled the application, you can delete the Makefile.

#9: Installing for the wrong architecture

You might notice that many rpm files will have an i386, i586, i686, PPC, 64, etc. There is a reason for this. Unless the rpm file has noarch included in the filename, that rpm file was created for a specific architecture. And when those files were created for that architecture, they were optimized for it, so they’ll will run better. Does that mean you can’t install an i586 on a standard 386 machine? Of course not. But it will not run as efficiently as it will on the indicated architecture. Now, you can’t install a PPC rpm on an x86 architecture. The PPC architecture is for the Motorola chipset. Nor can you install the 64 bit on a 32 bit. You can, however, install the 32 bit on a 64 bit (as in the case when you want to get Firefox running with Flash on a 64-bit machine).

#10: Failing to address problems with kernel updates

It used to be that updating kernels was a task left to the silverback geeks. No more. With the new package management systems, anyone can update a kernel. But there are some gotchas you should know about. One issue is that of space. With every update of a kernel, your old kernel is retained. If you continually update kernels, your system storage can quickly fill up. It’s always a good idea to check to see what older kernels you can get rid of. If you’re using rpm, issue the command rpm -qa | grep kernel to see what you have installed. You can remove all but the last two installed. It’s always best to keep two in case the one you are running gets fubar’d.

Another gotcha involves NVIDIA drivers. If you use the livna repositories, you will find yourself locked into the livna kernel releases as well. This isn’t always a good idea. Instead, I would do this in two parts: Update your kernel and then download and install the NVIDIA drive associated with your kernel. This will require you to search for the proper rpm file for the NVIDIA driver, but it will keep you from having to use the livna kernel. I was once locked into this system and found myself suffering from interesting kernel/video issues isolated to the livna files. Avoid this. Of course if you are using a Ubuntu system you can avoid the NVIDIA trap altogether by using Envy. This handy tool will allow you to install the best NVIDIA driver without having to mess up your favorite kernel.

And although this is a no brainer, make sure you reboot after a kernel upgrade. It’s the one time you will HAVE to reboot your Linux machine. Although your machine will continue to work just fine, it will be working with the older kernel and not taking advantage of the new feature or security enhancement (or whatever the newer kernel has to offer).