Sunday, May 17, 2009

Useful cheat sheets

Here is a collection of cheat sheets. I find them extremely useful

Windows command line cheat sheet http://www.sans.org/resources/sec560windows_command_line_sheet_v1.pdf

TCP/IP Cheat Sheet http://www.sans.org/resources/tcpip.pdf?ref=3871

Tcpdump cheat sheet http://planetozh.com/download/refcards/tcpdump.pdf

Linux Security Quick Reference http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf

Oracle Security Cheat Sheet http://www.red-database-security.com/wp/oracle_cheat.pdf

Nmap & Nessus Cheat Sheet http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf

Google Hacking and Defense Cheat Sheet http://www.sans.org/mentor/GoogleCheatSheet.pdf

SQL Injection Cheat Sheet http://ha.ckers.org/sqlinjection/

Cross Site Scripting Cheat Sheet http://ha.ckers.org/xss.html

Web application Cheat Sheet http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf

XSS Cheat Sheet http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Intrusion Discovery Cheat Sheet Windows http://www.sans.org/resources/winsacheatsheet.pdf

Intrusion Discovery Cheat Sheet Linux http://www.sans.org/resources/winsacheatsheet.pdf

Windows looking for compromise http://www.ucl.ac.uk/cert/win_intrusion.pdf

Checking Unix / Linux for compromise http://www.ucl.ac.uk/cert/nix_intrusion.pdf

DDoS incident response cheat sheet http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.pdf

Security incident survey http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.pdf

Memory analysis cheat sheet http://computer.forensikblog.de/files/cheatsheet/Memory%20Analysis%20Cheat%20Sheet.current.pdf

Forensic analysis cheat sheet http://forensics.sans.org/community/downloads/retrieve.php?file=handout.pdf

Saturday, May 9, 2009

Help create a safe Internet

Similar to security within an organization or security within a community, security within the Internet is also everyone's responsibility. Individuals must understand various cyber threats to protect not only himself, his family, and friends but the whole community. Recently stumbled upon a great site that gives security solutions for everyone that uses the Internet. The site, mysecurecyberspace is sponsored by Carnegie Mellon CyLab. 

Perimeter protection using Juniper Firewalls

I am re-publishing one of my earlier papers on Juniper Firewalls, even though this talks about an older version, the features are still relevant today.

Perimeter protection using Juniper Firewalls

In this information age where worms, viruses and various other Internet attacks proliferate, securing the perimeter becomes more and more critical for any organization. This paper looks at an economical solution for a small organization to protect the perimeter.

The solution presented in this paper involves the use of low end Juniper Firewalls.

Internet attacks are performed in a variety of ways and Juniper Firewalls provide protection for many of these attacks, below is a brief description of various ways an attacker may try to intrude into an organization’s network.


  • Ping Sweeps
To understand the network layout an attacker uses various reconnaissance techniques including pinging various internal hosts that may or may not respond to pings

Juniper Firewall can reject all Ping requests after a specified threshold.

  • Port Scanning
The purpose of this method is to identify the open ports and once an open ports is found further scanning can be done to identify the version of the application and exploit the vulnerabilities found in that application.

Juniper Firewall can detect and drop the scan attempts after a specific threshold. The Firewall can also detect and stop the scans with various options like SYN-FIN, no flags, all flags etc.

  • IP options scanning.
An attacker uses this scanning option as a reconnaissance step to gain more knowledge of the network. Majority of these options are never used in a typical network and Juniper Firewall can detect these scan

  • IP spoofing attacks.
An attacker uses IP spoofing technique -where it makes the intermediary device to think that the packet came from a trusted source- to gather more information about the network and attack the network.

Juniper Firewalls can be configured to drop this kind of packets.

  • Denial-Of-Service attacks.
Denial-of-service attack is an attempt to make a targeted device resource unavailable to its users by sending huge amount of traffic to that device. If such an attack originates from multiple source devices or networks then it is called Distributed Denial-Of-Service attack. These attacks can take many forms like SYN floods, UDP floods, ICMP floods etc

Juniper Firewall can prevent such attempts by assigning thresholds that limit the number of permitted session from a source IP and to a destination IP. It can also be configured to use SYN proxy to identify and drop incomplete sessions. Similar protection can be configured to protect from ICMP and UDP flood attacks.

Apart from these protections, the Juniper Firewall can also protect against OS specific attacks like Ping of Death, WinNuke and Teardrop attacks

  • Malicious URL protection
Some URLs entered by the attacker facilitate attacks based on legal but malicious HTTP requests designed to break the server. Many exploits on Web servers have been based on URLs that were technically legal but employed buffer overflows or similar techniques.

Juniper Firewall examines the data payload of all HTTP packets, if it identifies a malicious URL it blocks that packet from passing through the firewall. The Firewall can also be configured to look at fragmented packets.
  • Virus scanning
A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Juniper Firewall supports both internal and external scanning for viruses.

  • Spyware protection.
Spyware is a program that gathers user information through the user's Internet connection without the user’s knowledge, usually for advertising purposes.

Juniper Firewall can be configured to block incoming spyware, adware, keyloggers, and related malware to prevent it from penetrating the organizations perimeter.

  • Web filtering
Web filtering enables an organization to manage Internet access by preventing access to inappropriate web content.
Juniper Firewall supports both integrated and external web filtering

  • Deep Inspection
Deep Inspection is a mechanism for filtering the traffic permitted by the firewall, where it examines Layer 3 and Layer 4 packet headers and Layer 7 application content and protocol characteristics in an effort to detect and prevent attacks

With the Deep Inspection enabled, the Juniper Firewall scans the packet for patterns that match those defined in one or more groups of attack signatures or protocol anomalies, which you can either define yourself or download to the security.


Conclusion

Firewalls are the first line of defense for organizations that do not own the perimeter Routers and care must be taken to configure the device to properly ward off various attacks. Even though securing the perimeter is an integral part of Information security, organizations should practice Defense-In-Depth strategy where security is provided in layers to protect the various information assets.

Wednesday, May 6, 2009

McAfee threat report

McAfee released their first quarter threat report. Here are some of the important data from the report,


  • McAfee TrustedSourceT recently has observed malware-laden email and spam originating from a variety of government agencies and banking institutions in Russia.
  • The top 10 countries dominate in spam production, contributing nearly 70 percent of the total and far outdistancing the other 200-plus countries in the world. Tope 10 countries are US, Brazil, India, South Korea, China, Russia, Turkey, Thailand, Romania, and Poland.
  • The top seven countries hosting websites with a malicious reputation are also in the top 10 hosting phishing, spam, and malware/spyware sites.


So, what's the best way to deal with malicious traffic from these countries? If your organization can afford to block traffic from these countries or select countries, block the whole IP address range at the external Router or Firewall level. Always use "supernets" while blocking to make sure that the Firewall or Router uses the resources efficiently.

To get more information on the IP addresses allocation and whois lookup, use the following links

http://www.iana.org/assignments/ipv4-address-space/
http://ws.arin.net/whois/
http://ripe.net/
http://wq.apnic.net/apnic-bin/whois.pl
http://www.lacnic.net/cgi-bin/lacnic/whois
http://www.afrinic.net/cgi-bin/whois
http://ip-to-country.webhosting.info/book/print/5