ISC Feature of the Week: Tools->Information Gathering

Published: 2012-05-17
Last Updated: 2012-05-17 20:39:55 UTC
by Adam Swanger (Version: 1)
4 comment(s)

Overview

One of the sections on the ISC Tools page is Information Gathering at https://isc.sans.edu/tools/#info-gathering. This collection will help you easily find out how your browser and plugins look to the outside and lists some other information lookup tools.

Features

Browser Headers - https://isc.sans.edu/tools/browserinfo.html
How a server sees your browser.

Browser Plugin Detector - https://isc.sans.edu/tools/adobinator.html
This page attempts to detect various browser plugins. The detection code used was created using PluginDetect.

  • Lists plugins detected and various version information for each.

Site Availability Check - https://isc.sans.edu/tools/sitecheck.html
Checks if hostname is reachable.

  • Single input box.
  • Displays failure if unreachable.
  • If reachable, outputs:
    • Page load time
    • Page size in bytes
    • Return status code (ie. 200 success)
    • Final URL

Site DNS Check - https://isc.sans.edu/tools/dnscheck.html
Hostname to IP DNS resolver.

  • Single input box.
  • Output IP if system is able to resolve.

Whereis[IP] - https://isc.sans.edu/tools/whereis.html

  • Multi-line input box. Enter one(1) IP per line.
  • Output table contains:
    • IP ADDRESS queried
    • ASN of IP
    • NETWORK assignment
    • COUNTRY abbreviation
    • ISP name
    • RIR - Name of registry

Content Security Policy Test - https://isc.sans.edu/tools/csptest.html
Created for Firefox 4 but features may be found in other browsers.

  • Lots of details and information on the test outlined and explained on the page

 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

 

Keywords: ISC feature
4 comment(s)
New IPv6 Video: IPv6 Router Advertisements https://isc.sans.edu/ipv6videos

Do Firewalls make sense?

Published: 2012-05-17
Last Updated: 2012-05-17 18:25:36 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

Once in a while, someone comes up with the idea that firewalls are really not all that necessary. Most recently, Roger Grimes of Infoworld [1][2]. I am usually of the opinion that we definitely probably need firewalls. But I think the points made by the anti-firewall faction offer some insight into not only why we really need firewalls, but also what people don't understand about firewalls.

To clarify from the start: I am talking here about good old basic network firewalls. No deep packet inspection rules and no host based firewalls.

From a security point of view, firewalls offer two main functions: They regulate traffic, and they provide logs. The second part is often neglected. But look over some of the stories here, and quite frequently, you will find cases in which firewall logs tripped the scale. For example the "duplicate DNS response" issue earlier this week was initially found by an observant reader watching firewall logs.

When it comes to filtering, some consider firewalls not worth the trouble because "they only filter on ports that are closed on the server anyway". I think this shows a lack of understanding of what a firewall can do protecting servers. My best firewall wins came usually from outbound filtering from traffic trying to leave the server.

The next argument against firewalls is that there are usually better devices to do the filtering: Proxies have real application insight, router and switch ACLs can usually pick up the low end port filtering part. As far as the proxy is concerned: I say get one too. But proxies are usually rather complex devices to configure correctly and I rather get the easy stuff out of the way first using a firewall. At the same time: How do I make sure my traffic actually uses the proxy? That typically involves a firewall.

A switch or a router may have many features that are found in a classic firewall (even state-full rules and some application logic). They may be perfectly fine for a home user or a small business. However, in particular in an enterprise context, you probably want to split the firewall functionality to a different device, and with that to a different group of people. The people dealing with routing and network performance ("packet movers") are usually not the same people that are dealing with firewalls and filtering ("packet droppers").

But how many "modern" attacks are really blocked by firewalls? Aren't they all sending a spear phishing email to the user, tricking the user to download malware some chinese kid wrote via the filtering proxy we installed?  Next they exfiltrate the data via that same proxy (or DNS, or SMTP... or other services we have to allow)? In part, these modern attack are a testimony to the effectiveness of firewalls. An attacker would probably rather still use the same tool they used back in the 90s to brute force file sharing passwords and download data straight from the system. But sadly, because now even some universities block file sharing using a firewall, these attacks no longer work.

Against these modern attacks, we have other defenses. Some may work against the older versions of these attacks as well. In short, these defenses can be summarized as "end point protection" (whitelisting, anti-virus, host based firewall, hardening of the system...). Hardening a large number of end points is however a lot more difficult then configuring a few firewalls well placed at the right choke points.

By now, you are probably going to ask yourself: Why hasn't he talked about "defense in depth" yet? The argument doesn't really apply if you are trying to argue removing a device. Each additional security device can be justified with "defense in depth". But  some security devices don not add enough value to justify the expense. I don't think "defense in depth" itself can be used to justify a *particular* security device. It rather justifies the fact that some of our security devices are redundant and fulfill similar, but not identical, roles.

To summarize: If the last time you looked at your firewall rules and logs was back in 2003 to stop SQL slammer, you probably may as well get rid of it. But a well managed and configured firewall can have significant value. It is one of the simpler security devices you probably have. Consider it the good reliable 6 shooter as compared to the fancy (but sometimes flakey) F-22. Which one are you going to take along to get money from the ATM that just appeared in the DEFCON hotel lobby ;-) .

 Thoughts? Flames? Use the comment feature or sent us a non-public comment via the contact form.

[1] http://www.infoworld.com/d/security/the-firestorm-over-firewalls-193409
[2] http://www.networkworld.com/news/2005/070405perimeter.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: firewall
14 comment(s)
ISC StormCast for Thursday, May 17th 2012 http://isc.sans.edu/podcastdetail.html?id=2542

Comments


Diary Archives