PhoneBoy’s Security Theater

I guess it's time to take a break from kvetching about my job for a moment and talk about something security related. Or more specifically, something related to keeping your kids safe on the Internet.

My 8-year old son is becoming a bit more adventurous in his quest for all things Pokemon, not to mention Tower Defense-type games. He is using that "search area" in the upper right hand corner of the Firefox window to find things. This has resulted in coming across pages that are "blocked" by Microsoft's Family Safety filter, which I use on all the downstairs computers. This inevitably means he'll run into whatever room I am in and ask me to "type in my password" to unblock the site. Frequently, he asks me when I am doing something else and, of course, he wants it NOW.

When I am ready, I go to his computer--which is in our living room and thus in a public room--and find out what site he was trying to go to. Some sites I know aren't particularly great for his age range (e.g. MySpace), others I will check first. Because I'm not quite sure what I am going to find, I ask him to leave the room first. Either that or I will make note of the site and go check on a different computer.

The reason for this is very simple: Microsoft's Family Filter does not offer a lot of granularity on blocking. Furthermore, it doesn't give any explanation as to why it was blocked (e.g. what category the website was in). Even if it did, one should never assume the filter is entirely correct. Best way to keep the kids protected is to manually review the site--without them in the room--in case something particularly nasty shows up!

In one case, I went to a blocked website that appeared to have ok content, but had ads on it that were clearly not ok. Furthermore, there was so much crap on the site that the browser basically locked up! In short, there was no way I was allowing my son anywhere near this website.

I then explained to my son why I was still not going to allow access to the site in question. I reiterated why the filters are there and why I manually check things first. He understood and moved onto something else.

Obviously, things are relatively simple right now. As time wears on, things are going to be more complex, particularly when we get into instant messaging and interacting with other people online. Not to mention the difference in age-appropriateness between my 8-year-old son and 4-year-old daughter as they get older. However, it will hopefully be handled much the way it is handled today: with a conversation.

Over my 10 years in Nokia's Security Appliance Business, I have met a lot of people. Many of these people worked in the business and moved onto other areas of Nokia. Others were the direct result of my "poking around." At one point, I hoped that I could leverage some of these contacts to branch out into other areas of Nokia.

Then, a funny thing happened at the end of September 2008. Nokia announced they were selling the Security Appliance Business to an outside investor. We were to become a new, independent company. Shortly thereafter, the wheels fell off the economy and the credit market dried up. This made such a venture untenable.

Shortly before Christmas, Nokia announced we were being sold to Check Point Software . It wasn't the original plan, but under the circumstances, it made the most sense.

Despite the uncertain economic climate, not to mention the uncertain future all of us faced, a funny thing happened. We all pulled together, tightened our belts a little, and forged ahead. Profitability continued. Epic amounts of customer satisfaction were attained. We showed incredible strength and determination. Every one of us.

Meanwhile, the rest of Nokia downsized and reorganized. The company is asked employees to volunteer for a layoff as well as ideas for cost savings. I would not be surprised if additional actions are being considered to ensure survival during this protracted recession.

Clearly, my days at Nokia are numbered. Some of us will end up at Check Point. Others, sadly will not. It's not only a long goodbye to a company that has treated me well for 10+ years, but to a "family" of people I've worked with. While like all families, we disagreed at times, we all tried our best to "delight our customers" and be "very human" (to borrow a couple of Nokia's values).

While it is goodbye to some, many of us will continue to work together as part of Check Point. Clearly, it won't be the same as it was. I have hope that, in time, it will be much better than what we had.

Intrusion Prevention Systems are designed to detect possible attacks that are occurring over the network and act upon them in some way. They are not unlike firewalls, but they tend to approach the problem a bit differently. Whereas your typical network firewall is a "deny by default" system (i.e. deny all traffic except those which pass certain criteria), an IPS tends to be an "allow all by default" system (i.e. allow all traffic except those things that look dangerous). Also, firewalls tend to be routers to serve as a network choke point, whereas the IPS is a "bump in the wire" looking at all traffic passing through. It is usually deployed in-line with the firewall, either on an ingress or egress point.

Joel Esler, one of the professional services guys for Sourcefire, who sell IPS solutions (Nokia, my employer, is a Sourcefire partner), wrote an interesting blog post decrying the typical practice of deploying the IPS outside the Internet-facing firewall. His basic message: if your Internet-facing firewall is properly configured and your important machines are properly ensconced behind it, you don't need an IPS on the outside of your firewall. The IPS should be placed inside the firewall.

While I agree that IPS is needed inside the external firewall, I think IPS has a useful place outside the firewall as well. It is not always feasible to put everything behind a firewall. For example, it may not be possible/feasible to subnet your external network so you can put stuff behind a firewall. You might be using a service that does not play nice with a firewall. Or any number of other technical or political reasons.

Even if you can manage to get everything behind a stateful inspection firewall, what's looking after the firewall? Sure, a properly configured firewall will deflect anything the Internet is likely to throw at it, but even a properly configured firewall might be susceptible to a security vulnerability.

To throw another viewpoint into the mix, perhaps the place to integrate IPS functionality is right in the firewall itself. Check Point was clearly starting down this road with SmartDefense in the NG AI release of VPN-1. Now in the R70 release of Check Point's Security Gateway product, we have the IPS software blade, which is a full-blown IPS.

The bottom line is that if you're going to use an IPS, you need it everywhere bad stuff could happen--inside or just outside your security parameter. Or on the firewall itself ;)

One of the things that is making this transition to Check Point Software easier is the community of people that support, use, and sell what used to be called Firewall-1, but now goes by a few different names and offers many more functions than just firewalling and VPNs. It's a community I have never really left, having spent the last decade in Nokia's Security Appliance Business, but it's one I was less visible in over the past several years.

Despite being less visible in recent years, I have still been contributing, albeit indirectly. I have been maintaining Nokia's knowledge base, which of course contains many articles that relate to Check Point. I haven't written many Check Point-related articles in recent years, but I do work to make sure that the articles other folks in support write are readable. I also help our team out in various, sundry capacities, with the goal being to get customer issues resolved quickly.

In the course of this work, and my presence on many a social network, I run across the occasional person who thanks me for the contribution I made to the betterment of the Check Point community many years ago. As I re-engage in the community, the accolades have noticeably increased.

Meanwhile, Kellman Meghu, a SE manager for Check Point Software in Canada, recently gave a troubleshooting presentation for CPX 2009 in Las Vegas (CPX, or Check Point Experience, is their annual trade show). In the presentation, he apparently decided to use a picture of me to represent when things got hairy and you needed expert advice from support.

Kellman tweeted the following yesterday:

Used a picture of @PhoneBoy in his presentation. The crowd cheered; no one has forgotten the help he has provided to CP users.

To say I was touched and humbled is an understatement.

So what now? Hard to make any grand plans under the circumstances, but I'm keeping busy. I'm still running the FireWall-1 Gurus mailing list and participating on the CPUG Forums, helping out where I can. It's not much, but until the deal between Nokia and Check Point closes, it's difficult to do much else.

I recently went through the trouble of installing a Nokia IP260 as a firewall at home. It was one of the only machines I felt I could keep running in my office for any length of time and not cringe at the fan noise being thrown off. Clearly, our security appliances are not designed for home installation ;)

Unfortunately, the IP260 I had been using decided to die. Again. The unit had been sent to our repair facility on two separate occasions for repair for the same problem: won't even get to the boot manager. As a software guy, there's not a whole lot I can do about hardware problems ;)

The method they make employees follow is the "Return and Repair" method. We ship the box to the repair facility, they fix it and send it back to us. The only time a customer would ever follow this process is if their box is not covered by a support agreement. Otherwise, most direct customers get Advanced Replacement or on-site replacement, depending on your purchased support agreement.

The good news is that this unit should be scrapped and I'll get a (like) new unit to replace it. I also can run R65 now instead of R62. The bad news? I have to listen to the whine of the fans of an IP390 for a while.

Update: Our Service Parts guy told me they are going to overnight me a unit. I can scrap the unit myself. Spare parts FTW!

I got an email from the National Science Foundation regarding an interesting technology they used to watch all the surveillance cameras at President Obama's inauguration. According to the press release put out by the NSF, the technology created by VSee allowed law enforcement the ability to look at multiple cameras in real-time--even from police cruisers on a mobile phone network connection!

VSee sells their technology as a videoconferencing/application sharing service for companies, though at $50 per user per month, it's a bit pricey. However, you can be assured the service will work over low-bandwidth connections, is secured with FIPS 140-2 certified 256-bit AES encryption, and will traverse firewalls.

You can try the service with 3 users for free to see how well it works. Of course, without a Mac version, it's unlikely I'll spend a lot of time using it. I will have to see how well it works across the great firewall of Nokia before I become an ex-employee ;)

Long before I was a security geek, I was a systems administrator. Oh sure, security goes with the territory when you're a systems administrator, but it's only one aspect of the job.

Needless to say, I've maintained email servers as part of my duties, where I've had plenty of access to look at people's private emails. I also ran a computer bulletin board in the late 1980s, where I had the same privilege. In college, I did a term paper where I wrote about the Electronic Communications Privacy Act of 1986, which protects people's personal email, but does little to protect corporate email. Provisions in the law allow business to monitor their networks for business purposes, which means they can see everything going on--including potentially non-business related communications.

While generally speaking, all an employer in the U.S. has to do is disclose that use of the corporate network is subject to monitoring, that is not the case in many European countries, where there are strict data privacy laws forbidding the practice. That would make it difficult for, let's say, Nokia, to find out if a Finland-based employee was leaking secrets about upcoming handsets. It's so difficult, in fact, that there was a reported rumor that Nokia was threatening to leave Finland if they couldn't get a law passed that would allow employee email monitoring.

While Nokia spokespeople are officially denying this rumor, it doesn't change the fact that the passing of such a law would be extremely beneficial to Nokia. Many companies, including Nokia, have a similar problem: how can evidence of corporate wrongdoing be found when you can't look where evidence of wrongdoing would easily be found? In Europe, obviously, there are strict laws regulating who can see or do what with "private" electronic communications like email.

Even if monitoring workplace communications is legal, let's assume the communication is somehow encrypted. How would you determine something inappropriate is going on? One school of thought is that the very use of encryption implies you have something to hide--something the company might not like.

Even if a communication is encrypted, some things about the communication usually aren't: who it's coming from, where it's going to, and how much data or how long it is. One can certainly make some inferences based on that information, but one cannot conclusively prove that wrongdoing is taking place. However, you might find out enough just from that information alone to suspect something.

Of course, if you're going to leak any company secrets, it's probably best not to do it using the corporate network ;)

My friends at Sourcefire shared a rather interesting experience about using an Internet-connected computer in an East African country. Broadband is still a dream there, and dialup is most certainly not cheap when it's charged by the minute.

Aside from just the experience of using the Internet on dialup--which I effectively did about 18 months ago during a move--there is a serious question about how up-to-date you can keep a computer when you have to download the multi-megabyte security updates over a non flat-rate dialup connection. The short answer: you can't.

In reality, no operating system is spared the pain of large updates. While Microsoft is bagged on for constant needs for updating, Mac OS X and Linux also have them. My last Mac OS X set of updates under 10.4 was over 200mb, which would take me more than 8 hours on a 56k line! Linux seems to require fewer updates, though it does depend on which applications you have installed.

Then, of course, there are the updates for the anti-virus and security software. I don't run anti-virus and security software on Mac or Linux, but you can bet that I do run it on all my Windows boxes. Yet more updates to be downloaded over a slower connection.

Between the third world and places in the first world where broadband hasn't reached yet, there is still a significant population on dialup. Even though these computers aren't online 24x7 like you are with broadband, the real security problems aren't blocked by the Windows Firewall that has been installed and enabled by default since XP SP2, it's the web browser.

I did find a clever-looking program called ForceField, which is focused entirely on web browser-specific protections. I haven't tried it, just yet, but I suspect once the acquisition of Nokia's Security Appliance is completed, it should be relatively easy for me to get a copy to try out for longer than a few days. ;)

While ForceField addresses a small part of the problem, I'm not sure there is a good solution to the general problem of pushing larger and larger software down a dialup-sized pipe. Even with the protection that ForceField provides, it's always a good idea to keep your operating system and applications up to date.

Several years ago, I purchased a domain for our family. Upon doing the prerequisite search, we ultimately settled on a .net name. Not our first choice, but it was what was available.

On 1 January, I got an email from a company called Zip Domains on my admin email address:

Our company specializes in acquiring expired domain names to help individuals and businesses protect their brand online.

The domain name XXXXXX.COM is expired and will become available soon.

We noticed that you own XXXXXX.NET and felt that you may be interested in acquiring the .COM version of your existing domain name.

We can assist in trying to acquire the domain name, as there are likely many interested parties competing for it.

There are no upfront costs, and the fee if we are successful is only $199 USD.

If you are interested, please let us know by January 3 at the latest.

Sorry, but someone tried to sell me the domain earlier in the year for less than that. Think I'm going to pay $199 to some company that spammed me? Fat chance!

At that point, I checked the whois registry and found the domain was about to be removed from DNS, just like they said. I figured, I'll wait a few days for it to be removed from the whois registry and try to purchase it through 1&1.

On the 9th, I got another email from Zip Domains telling me they had secured the rights to the domain and I could purchase it from them for only $99!

Our company specializes in acquiring expired domain names to help individuals and businesses protect their brand online.

The domain name XXXXXX.COM expired recently and we were able to secure it.

We noticed the you own XXXXXX.COM and felt that you may be interested in acquiring the .COM version of your existing domain name.

It is available for a one-time fee of only $99.00 USD.

To purchase or learn more, please visit http://zipdomains.com/buy.php?domain=xxxxxx.com

While the domain was still showing as being deleted in whois, when I checked the next day, it was available. I went into my domain control panel on 1&1 and ordered the .com domain for $8.99, saving me over 1000% what Zip Domains wanted to charge!

I thank Zip Domains for making me aware of the expired domain. However, there was zero chance I was going to pay above the typical registration cost for a domain, particularly for my family where the value of having "the right" domain is relatively low.

I have to wonder how many people fall for zipdomains "scam," buying a domain they could have had for the nominal cost if they waited a few days. It's not clear to me ZipDomains actually does anything to secure a domain name. The domain was either marked as "being deleted" or "not present" in whois when Zip Domains told me they had secured it for my purchase, so I question their legitimacy. (If someone from Zip Domains wants to rebut my statements, leave a comment below)

In short, beware of companies that are trying to scare you into buying a domain from them or send you "renewal" notices in the postal mail--that's my favorite one.

At one time, I thought about doing my own site for "home user" network security. Nice to see my buddies over at The Academy doing it with The Academy Home. While the site is relatively new, they do have a few how-to videos available already, including installing a program I recommend wholeheartedly: K9 Web Protection from Blue Coat Systems.

I'd like to see some stuff on configuring Windows XP with non-admin users for your kids. I have to do this for my friends all the time. That right there makes it more difficult for a piece of malware that does get in to do any damage.