Archive for June, 2009

As Slowloris HTTP DoS Rises Astaro is Ready

June 26, 2009

By: Angelo Comazzetto

Recently the Slowloris Denial of Service attack has jumped in popularity. This attack is similar to SYN flood, but uses HTTP instead, basically consuming sockets on the Web Server vs. trying to saturate all the bandwidth. This is an interesting attack, particularly because it does not require a lot of bandwidth by the attacker. It is possible to DoS even large sites simply using a common residential Internet connection, and using Slowloris to eat-up the Web Server’s ability to respond to other HTTP requests, by sending partial ones itself and thus holding the sockets open. You can read more about this DoS technique here.

 While the approach is not new, the working implementation of it “for the masses” is starting to appear more commonly.

As we have already received dozens of queries about how to stop this attack, we’d like to inform you that Astaro installations with current/updated Intrusion Protection Patterns will be protected against this, so neither admins nor their Web Servers need to fear. The ID for this new rule is #1000023, and is located in the HTTP Servers Group under the Apache category.

Advertisements

Spam Is More Than Annoying

June 23, 2009

By Angelo Comazzetto

Not only is it annoying having to sift through all the garbage which clogs your inbox, but it costs you productivity as you attempt to separate the mails you need from the unwanted items. Spam rarely ends up in my own inbox due to the effectiveness of the blocking solution I use, (I use a solution from Astaro) but many of the people I speak with daily communicate that in an inbox with 50 messages, 45 or more can easily be spam on a given day.

How obnoxious is it to go through all of your email and delete meaningless message after meaningless message. You have to wonder what these spammers are thinking – they must know that 99% of their messages are going to be deleted or blocked – and what are they trying to sell by randomly emailing people? Well, first of all they don’t care that 99% of their emails will be deleted or blocked. Because they send out tens of millions of spam messages at a time if only 1% of the emails get through and accomplishes its goal they consider the distribution a success. That is why spammers use topics currently in the news (like the Swine Flu) to grab the attention of the few people who don’t have a spam blocker already in place.  

So, what can you do to stop these annoying, and potentially harmful messages from getting into your inbox? Email filtering is just the beginning. Email filtering will only work as a spam blocker if you are indentifying spam properly, and using the right technology for your organization. Astaro published a white paper describing the dangers of spam and effective anti-spam technologies and techniques. To read this white paper visit The Hidden Dangers of Spam.

Ideas are for sharing

June 15, 2009

We are rolling out a new service for our partners and customers – an improved feature request site. On this new site our partners and customers can make suggestions for improvements or request totally new functionality. Not only can visitors make their own suggestions – they can vote on the suggestions of others, giving us a better understanding of the popularity or urgency of specific network security needs. We will be using the insight gained from this site to plan future product updates and releases. We’ve always taken the suggestions of our partners and customers into account when planning future enhancements to our products – we know they have the best insight into what they need for web security but this new site gives them formal channel for making suggestions. I’m excited to read the suggestions we receive and I look forward to learning more about what our customers and partners want.

Microsoft’s DirectAccess: Reinventing VPN

June 8, 2009

By Tim Cronin

As we know, Virtual Private Networking (VPN) is a technology that allows remote systems to connect to a local system in a secure manner.  This is what Microsoft’s DirectAccess is setting out to do as well.  Microsoft is marketing the new remote access tool as somewhat of a revolution, claiming that you can throw the VPN out with the bathwater.  This is not necessarily the case, but DirectAccess may still herald a new generation of VPN technologies.

WHAT IS DirectAccess

DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients.  DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC).  This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology.  The user doesn’t need to do anything except get a network connection and log into the machine as normal – the OS takes care of the rest. 

HOW IT WORKS

Despite Microsoft’s marketing, DirectAccess is a VPN technology with new functionality.  For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server.  The DirectAccess server then authenticates the system and, if configured, authenticates the user.  Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user).  From here, there are differences in topology and design from which you can choose.  You can use “End to End” (security to the application server) or “End to Edge” (security to the perimeter, then letting unsecured traffic on the LAN). 

One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol.  You can use IPv4, but there will be extra steps that you may need to take.  There are several more key points to the connection for which I will refer you to Microsoft’s documentation at http://www.Microsoft.com/servers/directaccess.mspx.   

SECURITY CONCERNS

Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful.  When this technology is configured properly and used properly, I can see a step forward with this technology.  That being said, DirectAccess does assume some things.  The most glaring is that user authentication is not required. If a user’s laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network.  Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN.  This will make the use of full disk encryption even more necessary.  Also, the fact that there are so many technologies involved in order to get a connection is a concern.  If any one of them has a vulnerability it can be a problem to say the least.

END OF THE VPN?

All-in-all, I don’t think DirectAccess will herald the end of the VPN.  I think that there may be some changes, but VPN is here to stay for the moment.  The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it’s possible).  For this reason VPNs are still going to be in use.  Also, remote access VPN technologies, as they exist today, will adapt to new market requirements.  I foresee the major VPN vendors keeping pace with Microsoft.