As Slowloris HTTP DoS Rises Astaro is Ready

June 26, 2009

By: Angelo Comazzetto

Recently the Slowloris Denial of Service attack has jumped in popularity. This attack is similar to SYN flood, but uses HTTP instead, basically consuming sockets on the Web Server vs. trying to saturate all the bandwidth. This is an interesting attack, particularly because it does not require a lot of bandwidth by the attacker. It is possible to DoS even large sites simply using a common residential Internet connection, and using Slowloris to eat-up the Web Server’s ability to respond to other HTTP requests, by sending partial ones itself and thus holding the sockets open. You can read more about this DoS technique here.

 While the approach is not new, the working implementation of it “for the masses” is starting to appear more commonly.

As we have already received dozens of queries about how to stop this attack, we’d like to inform you that Astaro installations with current/updated Intrusion Protection Patterns will be protected against this, so neither admins nor their Web Servers need to fear. The ID for this new rule is #1000023, and is located in the HTTP Servers Group under the Apache category.

Spam Is More Than Annoying

June 23, 2009

By Angelo Comazzetto

Not only is it annoying having to sift through all the garbage which clogs your inbox, but it costs you productivity as you attempt to separate the mails you need from the unwanted items. Spam rarely ends up in my own inbox due to the effectiveness of the blocking solution I use, (I use a solution from Astaro) but many of the people I speak with daily communicate that in an inbox with 50 messages, 45 or more can easily be spam on a given day.

How obnoxious is it to go through all of your email and delete meaningless message after meaningless message. You have to wonder what these spammers are thinking – they must know that 99% of their messages are going to be deleted or blocked – and what are they trying to sell by randomly emailing people? Well, first of all they don’t care that 99% of their emails will be deleted or blocked. Because they send out tens of millions of spam messages at a time if only 1% of the emails get through and accomplishes its goal they consider the distribution a success. That is why spammers use topics currently in the news (like the Swine Flu) to grab the attention of the few people who don’t have a spam blocker already in place.  

So, what can you do to stop these annoying, and potentially harmful messages from getting into your inbox? Email filtering is just the beginning. Email filtering will only work as a spam blocker if you are indentifying spam properly, and using the right technology for your organization. Astaro published a white paper describing the dangers of spam and effective anti-spam technologies and techniques. To read this white paper visit The Hidden Dangers of Spam.

Ideas are for sharing

June 15, 2009

We are rolling out a new service for our partners and customers – an improved feature request site. On this new site our partners and customers can make suggestions for improvements or request totally new functionality. Not only can visitors make their own suggestions – they can vote on the suggestions of others, giving us a better understanding of the popularity or urgency of specific network security needs. We will be using the insight gained from this site to plan future product updates and releases. We’ve always taken the suggestions of our partners and customers into account when planning future enhancements to our products – we know they have the best insight into what they need for web security but this new site gives them formal channel for making suggestions. I’m excited to read the suggestions we receive and I look forward to learning more about what our customers and partners want.

Microsoft’s DirectAccess: Reinventing VPN

June 8, 2009

By Tim Cronin

As we know, Virtual Private Networking (VPN) is a technology that allows remote systems to connect to a local system in a secure manner.  This is what Microsoft’s DirectAccess is setting out to do as well.  Microsoft is marketing the new remote access tool as somewhat of a revolution, claiming that you can throw the VPN out with the bathwater.  This is not necessarily the case, but DirectAccess may still herald a new generation of VPN technologies.

WHAT IS DirectAccess

DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients.  DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC).  This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology.  The user doesn’t need to do anything except get a network connection and log into the machine as normal – the OS takes care of the rest. 

HOW IT WORKS

Despite Microsoft’s marketing, DirectAccess is a VPN technology with new functionality.  For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server.  The DirectAccess server then authenticates the system and, if configured, authenticates the user.  Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user).  From here, there are differences in topology and design from which you can choose.  You can use “End to End” (security to the application server) or “End to Edge” (security to the perimeter, then letting unsecured traffic on the LAN). 

One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol.  You can use IPv4, but there will be extra steps that you may need to take.  There are several more key points to the connection for which I will refer you to Microsoft’s documentation at http://www.Microsoft.com/servers/directaccess.mspx.   

SECURITY CONCERNS

Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful.  When this technology is configured properly and used properly, I can see a step forward with this technology.  That being said, DirectAccess does assume some things.  The most glaring is that user authentication is not required. If a user’s laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network.  Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN.  This will make the use of full disk encryption even more necessary.  Also, the fact that there are so many technologies involved in order to get a connection is a concern.  If any one of them has a vulnerability it can be a problem to say the least.

END OF THE VPN?

All-in-all, I don’t think DirectAccess will herald the end of the VPN.  I think that there may be some changes, but VPN is here to stay for the moment.  The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it’s possible).  For this reason VPNs are still going to be in use.  Also, remote access VPN technologies, as they exist today, will adapt to new market requirements.  I foresee the major VPN vendors keeping pace with Microsoft.

Advice for the Cyber Czar

May 28, 2009

By: Angelo Comazzetto

Yesterday, the Washington Post reported that President Obama is preparing to announce the appointment of a national “’cyber czar,’ a senior White House official who will have broad authority to develop strategy to protect the nation’s government-run and private computer networks”, and that this announcement will coincide with the release of the government’s cyber-security initiatives and policies. (Article here).

 While I am not holding my breath waiting for a call from the White House, I do have some advice for the new cyber czar.

 First of all, it is going to be important for you to be transparent and to quell fears that this is the first step towards an Orwellian world. Let people know you do not plan on being “big brother” and that you in no way plan to censor or shut down the Internet. This might sound silly, but there are some that see the creation of a cyber czar and the potential passing of the CyberSecurity Act of 2009 as a step towards a government run web.

 Second, take a good hard look at our infrastructure and figure out just how much of it is dependent on the web.  Then determine which networks are the most vulnerable and most likely to be attacked. Are we really worried about our cable stations being hacked by foreign countries? It wouldn’t be good, but I think having a virus in our electric grid would be worse.  However, let’s stop talking and creating reports about how important this role is and why. We all know what’s at stake – it’s time to take some action.

Which brings me to my third and final piece of advice: We should focus on ways to prevent attacks from succeeding, rather than standards for what to do if we are attacked via the Internet. I realize we need to have a system in place for IF our networks are penetrated, but just like businesses, we should focus on keeping viruses, and malicious code out of our critical infrastructure networks, rather than fixing the mess once we know it is there. This will save our country time, money and possibly even lives.

I will continue blogging about the creating of the cyber czar and what the government is doing to protect critical infrastructure’s networks, so check beck often.

Virtual Appliances enable partners to offer security solutions in a SaaS environment

May 20, 2009

On Monday we announced the availability of the Astaro Web Gateway and Astaro Mail Gateway point solutions as virtual appliances. We offers these point solutions as virtual appliances to help organizations take advantage of the costs savings this deployment method offers.

The virtual appliances offer partners an additional benefit – the virtual appliances enable our partners to offer their customers the Astaro Web Gateway and Astaro Mail Gateway in a Software as a Service environment rather than as a hosted solution. Partners simply deploy the products as virtual appliances on their own hardware and then deploy a clone of the virtual machine for each customer, providing them with the e-mail and web security they require.

Organizations are continuing to look for ways to reduce costs and “being able to offer a SaaS deployment of an award winning security product is a huge competitive advantage,” said Astaro partner John Boudreau, vice president, Micros Northeast.

For more information on the Astaro Web Gateway virtual appliance offering visit: http://www.astaro.com/our_products/astaro_web_gateway/virtual_appliance

 For more information on the Astaro Mail Gateway virtual appliance offering visit: http://www.astaro.com/our_products/astaro_mail_gateway/virtual_appliance

Welcome to the Astaro Security Perspectives blog

May 4, 2009

Welcome to the Astaro Security Perspectives blog. The Security Perspectives blog is a forum for information on security trends, current threats, news and ideas.