Microsoft SSL VPN is here

Not quite a while ago when I was asking Microsofties – when they’re going to release SSL VPN solution – they asked me back: we support a lot of functionality over the Web, as well as standards-based VPN, so why do you need an SSL VPN?

That was a good question of theirs, which had two-part answer: not everything is a part of Microsoft ecosystem, and SSL VPN is the flavour of the day. Apparently, Microsoft listened: they bought Whale Communications, a SSL VPN company.

Enter Microsoft’s Intelligent Application Gateway 2007, the SSL VPN solution from Microsoft. SSL VPN is highly competitive market, with Check Point, F5 and Juniper being major established players. I think all of them ackquired SSL VPN technologies too!

The product is a part of Microsoft Forefront Edge Security and Access family. It’s getting really comfusing, as so many so different solutions are branded Forefront. I’d prefer Microsoft Antivirus, Antivirus for Servers, Enterprise Firewall, SSL VPN and so on. Something descriptive to the point.

I’ll be dissecting IAG really soon. Stay tuned for updates.

What’s proper strong authentication?

Everybody knows the answer: strong authentication involves more than one factor, usually something you know and something you have. Yet it doesn’t cease to amaze me how wild interpretations of strong authentication go.

Strong authentication is one where multiple factors have interdependency, and one of the factors cannot be issued without full knowledge of the system administrators or cloned (easily).

Take GSM mobile telephone. The telephone’s SIM, when protected with PIN, is strong authentication: no one can easily clone the SIM. However, the telephone number assigned to that subscriber via the SIM, isn’t: it is quite easy to misrepresent the source phone number when placing calls (there are DIY solutions, process exploits, and services; same applies to SMS). A Java applet that is loaded to the phone and requires a password to run, is not strong either – it can be copied.

I would discard biometrics for one cannot replace those authentication factors easily. Plus, one’s fingerprints, voice or DNA aren’t kept strictly private. Cloning is always an option – some fingerprint scanners, including one marketed by Microsoft, happily accept artificial fingers made of lollies.

Smart card is, by far, the best strong authentication solution. the technology is available in Windows since 1999, and is quite mature by now. There are no excuses for living with passwords, especially when you see passwords as a risk.

A vision for IPv6 enterprise

Without much fanfare, stock exchange opening bells and stuff like
that, IPv6 protocol stack made it to all major computing platforms. In
Windows XP Service Pack 1, fully supported IPv6 stack replaced previous
experimental version (which is also available for Windows 2000);
it was also integrated in Windows Server 2003 and is available for
Windows CE. IPv6 is available (and probably supported) in recent
versions of RedHat Enterprise Linux (kernel 2.6-based), and in Solaris
for a long while. Cisco IOS and other operating systems running on
network equipment also support IPv6. The protocol has arrived.

Here’s how IPv6 enterprise will look like:

  • Enterprise firewalls – gone. They are dinosaurs right now, and it’s long past the ice age;
  • Enterprise access/VPN gateways – gone. Enterprises will utilise assigned, Internet-addressible address space;
  • Access to the enterprise servers will be controlled using IPsec
    host authentication mechanism. Public services won’t require
    authentication; whereas internal services will require both user
    (traditional) and system (IPsec AH) authentication;
  • Computers will use keys stored in TPM (Trusted Platform Module) to authenticate aganst corporate IPv6 infrastructure services;
  • Network QoS (Quality of Service) won’t happen… again. In past
    there were too many issues integrating transport-layer QoS protocols
    with applications up the OSI stack, and increased bandwidth was always
    the answer. That won’t change, and QoS will remain limited at most.

Pretty cool, huh? 

When enterprises will move to IPv6 en masse is everyone’s
guess. I think the change will come from telcos providing services to
consumers – all the world is potential customers, and the telcos
already facing limitations in both address space available (including
private), and gateway capacity between their private and public
networks. IPv6 will solve both issues. Switching enterprises across
takes retiring support for IPv4…

Some IPv6 resources:

  2. – Japanese are heaps ahead with this
  3. – I finance this with my taxes… Which makes it personal!

Good principles for sysadmins and solution architects

Solaris™ Administration Best Practices by Peter Baer Galvin is an old gem. Here’s the list:

  • Keep an Eye Peeled and a Wall at Your Back
  • Communicate with Users
  • Help Users Fix It Themselves
  • Use Available Information
  • Know When to Use Strategy and When to Use Tactics
  • All Projects Take Twice as Long as They Should
  • It’s Not Done Until It’s Tested
  • It’s Not Done Until It’s Documented
  • Never Change Anything on Fridays
  • Audit Before Edit
  • Use Defaults Whenever Possible
  • Always Be Able to Undo What You Are About to Do
  • Do Not Spoil Management
  • If You Haven’t Seen It Work, It Probably Doesn’t
  • If You’re Fighting Fires, Find the Sources
  • If You Don’t Understand It, Don’t Play with It on Production Systems
  • If It Can Be Accidentally Used, and Can Produce Bad Consequences, Protect It
  • Ockham’s Razor Is Very Sharp Indeed
  • The Last Change Is the Most Suspicious
  • When in Doubt, Reboot
  • If It Ain’t Broke, Don’t Fix It
  • Save Early and Often
  • Dedicate a System Disk
  • Have a Plan
  • Cables and Connectors Can Go Bad
  • Mind the Power
  • Try Before You Buy
  • Don’t Panic and Have Fun

It so happens, the practices can be equally applied to Windows system administration and creating solution architectures, including security solutions.

I don’t agree with one of the pearls of wisdom included in the writeup – this one:

The question you ask as a sys admin is not “Are you paranoid?”; it’s “Are you paranoid enough?”

Last time I checked paranoia was some sort of mental illness. Being paranoid isn’t good for you. Paranoia results in malformed perception largely replacing reality in someone’s mind.

And I’d add another rule: Always question “Best Practices”.

Resist googlisation!

I don’t use Google Search. That’s because I see dangerous thing going on: googlisation of everything. Too often people say “just google for it” referring to the way to get facts, without realising that Web search is only going to return the most popular, most often cited source. Which is not necessarily is truthful. Same applies to Wikipedia.

Critical perception of information is crucial for an intelligent person. For that reason, getting facts by just googling it is not acceptable – it is only good for getting some information for consideration. There are too many questions without answers that can be found on the Internet. There are too many with wrong answers being mostly given on Web sites. If Google to be taken as a source of truth, that would be misleading in many cases – especially when it comes to complex problems. In Ukraine, higher education is plagued by google-and-paste (or worse, copy-and-paste – from ready to reuse sources like, a Moscuvite McEducation site) way of writing thesis.

And some competition is search space is also required. I’m not looking forward to see an advertising agency replacing libraries.

It it googlisation or googlization? I don’t give a damn. Resist it.

The most secure modern OS, Part I

It’s in wide use, it’s mature yet modern (a new version was released just recently), and it’s the most secure consumer OS out there. It’s a Microsoft product.

The OS in question is Windows Mobile. Formerly known as Windows CE, it became nameless power in Windows-powered Pocket PC and now available on the mobile telephone near you. Still not without identity issues – there is Phone edition and Smartphone. Windows Mobile rocks. It’s not the only OS that rocks – thus Part I.

My Windows Mobile device contains copy of my mailbox, address book and some files, giving me option to synchronise using cradle USB connection, Bluetooth, Wi-Fi and mobile phone networks. A variety of applications is available, both productivity and leisure. And I can browse Web from, like anywhere – without annoying Flash banners. And I’m in full control of the device – as the administrator (or the runlevel 1-like root, if you wish).

I have seen numerous suggestions that I should run firewall and antivirus on the device. That’s loughable. I don’t do that on my PC, but in this case those won’t make much difference for Mr. Average User – apart from perhaps shortening the device battery life and adjusting content of his wallet by few bucks (annyally, in case of Symantec). On years-old fear of imminent worm outbreak a market for the useless software is built. And still, we have just hadful of proof-of-concept viruses for the platform (none dangerous or self-distributing), and no prominent incidents involving Windows Mobile.

It is a big mistake to judge something by only its past but in this case something makes me more confident: SANS, a security education organisation, joins desperate vendors in spreading FUD:

IT managers are being warned of the threats that are likely to keep them awake nights in 2007, with laptop security, VoIP and the contentious issue of mobile phone viruses all featuring on one organisation’s ‘hit-list’.

It is a contentious non-issue, together with VoIP. I despise FUD. Therefore I proudly proclame Windows Mobile the most secure OS, and forecast another virusless year for the platform.

P.S. If only the had data encryption for Windows Mobile…

Life without firewall and antivirus

I don’t run firewall or antivirus software on my personal computer. And the operating system there isn’t Mac OS.  And I work logged on as the Administrator.

The reason is simple. I want to know if the intruders out there will outsmart me – by coming up with a new kind of remote exploit (I don’t run unnecessary services on the Internel interfaces); by making me double-click on an email attachment; or by making me go to a Web site that has a picture containing binary virus payload. Or maybe they will come up with a totally new technique (like I did with exploiting implicit trust using wireless access point)? I do my housekeeping: apply updates, disable unnecessary services and configure others securely, and only access trusted content. I think I’m up to the challenge.

I don’t suggest anyone to follow my example. In fact, I recommend using both firewall and antivirus/antispyware software. But I think that traditional network-based, remote exploit type of attacks will die off, and traditional virii soon after.

Kashrut, Sarbanes and Oxley

This is about interpretations, and how they transform law into something unrecognisable.

The first example is karshrut, the orthodox jewish diet. Its origins can be traced mostly to the eleventh chapter of the third book of Bible (or Torah, if you like) – the Leviticus:

And the LORD spake unto Moses and to Aaron, saying unto them, Speak unto the children of Israel, saying, These are the beasts which ye shall eat among all the beasts that are on the earth…

(the full text is here)

Couple of thousand years later, we find the concise set of rules transformed into something very complicated, apparently bloated and sometimes conflicting. The main thing is – if you want to sell kosher food, you cannot just claim that the food is kosher. There is no self-assessment. You must hire someone from a Kashrut authority to supervise your processes and certify your compliance. To something that is vaguely based on the initial law.

A more recent but very similar example is An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes, commonly referred to as the Sarbanes-Oxley Act (or just SOX). It is the US Congress’ response to series of corporate scandals, including burst of the telecom bubble (read Om Malik’s excellent book “Broadbandits” about it), and Enron demise.

The act is about implementing audit and security controls so that corporate executives won’t tamper with financial results in order to inflate share price and such. Yes, it includes something about information security – so vague that I can easily post the entire Section 404 here:


(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall –
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

That’s it. Much shorter than the Leviticus Chapter 14. Do you see anything about firewalls, intrusion detection and prevention systems, antivirus software and email journaling? Me too. The law requires have verifiable set of controls around financial information (which is reasonable); the controls aren’t defined (which is bad); and it’s up to the auditors to define what’s required.

Boom! Big Five acounting firms (okay, they’re Big Four – Andersen becape a scapegoat) all of a sudden have a lot of new business to do. That is, they interpret the law at their will, and they are charging a fee to check compliance to what is largely a result of their own imagination. In just five years, SOX resulted in creation of a new Kashrut system.

Probably I should give examples of SOX stupidity. The most fascinating one, if true, is this one: based on SOX, the IT auditors require all routers to be tested under high load for a fortnight before connecting those to production. I cannot name the source, nor the auditors here – just heard it through the grapevine. But for some reason I tend to believe it.

CEOs, CFOs and CIOs hardly ever touch routers or administer servers. In all cases of corporate fraud they were using other means to defraud the investors.

Compliance is only good if it brings benefits. More secure infrastructure is usually more stable, because it must be well-managed to stay secure. But it’s very easy (and tempting, to some) to go overboard with compliance. If you attend a presentation of a new product, and you hear “SOX” or “HIPAA” in the first five minutes – walk away.

Enterprise firewalls are a thing of the past

Do you have an enterprise firewall? Here’s a rule set for you to try:

  • Source: ANY

  • Destination: ANY

  • Protocol: ANY

  • Action: ALLOW

Yes, I’m asking you to allow everything across the firewall. Horrors!

But wait a minute. Most modern networks, large or small, do not use public IP address space, so John Citizen cannot connect directly to the systems on the network at will. Outbound connections a significant threat? I don’t think so. There are so many ways for users (and malware) to send information out using already available connectivity devices and infrastructure – trying to keep it under tight control will cost a lot and won’t stop determined malicious insider (or clever trojan).

If there is any tangible risk resulting from applying the abovementioned firewall rule set, then you have a big problem – insecure infrastrucutre. And you don’t solve it with a device that may be located on another continent.

So it’s time to stop paying for those stateful inspection applicances, as well as their support and maintenance. Time to openly oppose best practices and regulatory compliance requirements that often make organisations use multiple layers of enterprise firewalls. Get back to the basics securing your applications.

I was looking for the old thread on the Death of DMZ – found it on Susan Bradley’s blog (where else?). Time to bring it up again. And to acknowledge the reality – it’s not just DMZ that belongs to the past; it’s the brandmauer.

Notes about Active Directory integration using LDAP

I’d like to share few notes about integration into Active Directory using LDAP:

  • LDAP is a directory access protocol that is used for authorisation, not an authentication protocol. Think about user who are not using passwords but smart cards or RSA SecurID one-time passwords for authentication. Even if there aren’t any, there might be in future – therefore make sure authentication system is effectively separated from authorisation subsystem;

  • For example, if your Web application requires a client certificate to connect, use PKI trust and don’t try to match the user certificate with their userCertificate attribute in AD (which is for S/MIME);

  • Make sure that upon authentication a unique attribute is used for directory lookups. Note that commonName and sAMAccountName both arent unique in AD, and UPN is;

  • Do not ever use organisational units (that is, location in the directory tree) for granting access. Use groups and group membership instead;

  • Make sure that you check that user account isn’t locked out or disabled. Microsoft KB article How to query Active Directory by using a bitwise filter describes the LDAP query format for that. UF_ACCOUNTDISABLED and UF_LOCKOUT are the bits to look for.

Don’t oversecure LDAP. It’s the enterprise address book – think of Yellow Pages when you design security solutions using LDAP.