More Zonkyness

Are eReaders A Security Risk ?

Jan 232011

Of course they are – everything is a security risk. The question should be whether ereaders pose enough of a risk to your organisation to justify taking some form of action to reduce or eliminate that risk. The risks that ereaders pose can be broken down into three areas :-

Most ereaders are effectively USB memory sticks with a display on. As such the risk is much the same as with any USB stick – a malicious employee could steal data and remove it from your organisation. The countermeasures are the same too – implement a policy that prohibits the use of memory sticks from being used when plugged in.
Ereaders have an additional danger in that it is far more likely for accidental leakage of confidential information. People are unlikely to carry out a paper document marked “COSMIC TOP SECRET”, but if they put such documents onto an ereader, they are far more likely to walk out the door with it through simple neglect – that ereader with the “COSMIC TOP SECRET” document on it also has the that harmless book “The Girl With The Dragon Tattoo” that I am reading in my spare time.
Many ereaders (such as Amazon’s Kindle) device have a way of sending documents to the device over email – you email a special address on the supplier’s mail servers, and it trickles down to the ereader. Pretty convenient for the user, but not only does it make the leakage of information easier, but you also have to worry about how secure the supplier’s mail servers are.

If you need a certain level of security, that all makes it seem like ereaders should be banned at your organisation. That would be a shame because they can be useful – everyone knows how much paper can be wasted printing discussion documents and reports so they can be referred to in a meeting. An ereader means you can carry that pile of paper around far easier.

Rather than simply ban ereaders, simply provide them for the workers to use. And ban them from going offsite. Security is more palatable if it is served with a smile.

OSX, MacPorts, and DBUS

Working Notes No Responses »

Jan 232011

During a recent upgrade of the software I have installed on my work laptop, Macports managed to get a trifle confused during the process. Firstly Enlightenment suddenly started crashing at the drop of a hat, and secondly dbus suddenly started refusing connections and claiming that X11 support was not built-in.

The first problem I solved by comping Enlightenment (E16) from scratch and overwriting the Enlightenment installed from Macports – probably not the right thing to do. It turns out that the Macport version of Enlightenment is very outdated and could do with a refresh.

The second problem was a little trickier, and may have been solved in a slightly more Macport compatible manner. In fact this problem was two problems in one. First of all, any attempt to start a GNOME-based (or presumably anything wanting to talk to dbus) would give an error indicating that X11 support was missing.

I fixed this by recompiling dbus manually :-

# port mirror dbus
#   Gets a copy of the source code used to compile the source
# cd /opt/local/var/macports/distfiles/dbus
#   Change to directory where the source code is located
# gunzip -c dbus-1.2.24.tar.gz| tar tvf -
#   Unpack the source code
# cd dbus-1.2.24
#   Enter the directory that we've just unpacked.
# ./configure --prefix=/opt/local
#   Configure the package.

If you look at the last few lines of the output from this configuration process, you will see a message of the form “Building X11 code: yes” which is what we want to see – that X11 support is being built. At this point we can build and install :-

# make
# make install

The next problem was that attempting to use the automatically launched version of dbus resulted in a “permission denied” error when trying to communicate over the socket. The work-around for this turned out to be to :-

To turn off the launchd control of dbus by renaming the files /Library/LaunchAgents/org.freedesktop/dbus-session.plist and /Library/LaunchDaemons/org.freedesktop/dbus-session.plist by putting a “.” in front of their name. This stops launchd from starting anything.
Changing the .xinitrc to start dbus using the syntax eval $(dbus-launch –auto-syntax) (note that I explicitly ensure that this script is launched with zsh).

Adventures in Cisco IOS Land: NAT and WAN

Cisco No Responses »

Jan 192011

This is probably of less interest than most of my blog postings about Cisco routers, as it concerns something less commonly configured in the way I have done it – specifically a WAN link with a single IPv4 address and NATting to that address. However writing up my notes here is convenient to me, so you’ll have to put up with it. It is also very definitely worth bearing in mind the disclaimer here.

Basic NAT

First of all the “outside” interface needs to be configured as such from the NAT point of view :-

router#configure terminal
router(config)#interface fastethernet 4
router(config-if)#ip nat outside

This marks the interface in a way that lets the router know how addresses need to be NATted. Of course it is also necessary to configure the “inside” interfaces too :-

router#configure terminal
router(config)#interface vlan 101
router(config-if)#ip nat inside

And repeat for each VLAN of course.

In most instructions you will see that it is normal to create a pool of addresses for use by NAT which is perfectly valid for a number of addresses to NAT to, and even when there is a single address. But there is an easier way … NAT to the address of the interface.

router#configure terminal
router(config)#ip nat inside source list 7 interface FasterEthernet4 overload

The next task is to specify an access list to match the addresses that need to be NATted.

router#configure terminal
router(config)#access-list 7 permit 10.0.0.0 /8

Port Forwarding or Static NAT (for Servers)

If you run your own servers you will need to arrange for incoming connections to certain tcp or udp ports to be ‘forwarded’ to a specified address. This is known in the domestic router scene as “port forwarding” which is as good a term for anything – given that the concept of NAT is fundamentally broken.

This is done quite simply by the following :-

router#configure terminal
router(config)#ip nat inside source static tcp 10.0.0.14 80 interface FastEthernet4 80

This of course says that there should be a static rule to map tcp/80 (http for the web) on the server with the address 10.0.0.14 to tcp/80 on the ‘outside’.

A Basic Firewall

Next task is to bring up the WAN connection to check it works ? Not at all; whilst it may be somewhat unhelpful to connect things up after having made multiple changes, it is important to have some kind of firewall running. If you happen to have the IOS firewall feature, there is little point in bothering with the ordinary ACL feature – it sucks in comparison.

But strangely it seems we do need a basic ACL in place to :-

Allow server traffic into the network.
Deny all other traffic.
And to allow the inspect engine to extend the ACL to allow session specific rules.

router#configure terminal
router(config)#ip access-list extended AllowIn
router(config-ext-nacl)#permit tcp any any eq www
router(config-ext-nacl)#deny ip any any log DenyIn

The use of a named ACL here is to allow for greater self-documentation – it is easier to see what an ACL should be used for when it is named. This becomes more important the more ACLs are in use.

We then need to create a set of inspect rules to allow traffic out. This is a very open set of rules, and will dynamically create temporary rules to allow the inbound replies to the allowed outbound traffic. The ordering of this is very important as we need to most specific inspections first – so “inspect tcp”, etc should appear at the end.

router(config)#ip inspect name allow-out bittorrent
router(config)#ip inspect name allow-out ftp
router(config)#ip inspect name allow-out ftps
router(config)#ip inspect name allow-out gnutella
router(config)#ip inspect name allow-out h323
router(config)#ip inspect name allow-out http audit-trail on
router(config)#ip inspect name allow-out https audit-trail on
router(config)#ip inspect name allow-out icmp router-traffic
router(config)#ip inspect name allow-out tcp
router(config)#ip inspect name allow-out udp

The ‘router-traffic’ on the icmp rule is to allow the router to send ICMP traffic to the outside interface and for it to be inspected. For some strange reason, Cisco configured the default to not allow it – leading to any number of network administrators having a nasty panic attack. Perhaps Cisco have a nasty sense of humour?

Next, because it’s fun to see what people may be doing, we need to log whatever the inspection engine drops :-

router(config)#ip inspect log drop-pkt

Finally we apply the new rules to the WAN interface :-

router#(config)#interface fastethernet 4
router#(config-if)#ip access-group AllowIn in
router#(config-if)#ip inspect allow-out out
router#(config-if)#end

This just touches on the capabilities of firewalling with a Cisco and is well worth checking in greater depth. For instance, it is clearly possible to inspect incoming traffic as well as outgoing traffic, but if you do the obvious you end up with a non-working firewall

Bringing Up The WAN

Fortunately I am in the situation where my ADSL line is bridged to Ethernet using an ADSL ‘modem’ so that I merely have to configure the external WAN interface on my router with an external address, a netmask, etc. This is so trivial it seems strange to include it here, but …

router#configure terminal
router(config)#interface FastEthernet4
router(config-if)#ip address 192.168.1.1 255.255.248.0
router(config-if)#ip nat outside
router(config-if)#ip virtual-reassembly
router(config-if)#duplex auto
router(config-if)#speed auto
router(config-if)#end

Perhaps the only oddity there is the use of ‘ip virtual-reassembly’ which is essentially used to protect the router (and in effect the rest of the network) from fragmented packet attacks. And if you prefer to leave CDP enabled, you may also want to stop that on the external interface with “no cdp enable” as well.

Photographing Portchester

Photography No Responses »

Jan 142011

This series is from the weekend – mostly the castle itself as the walk along the seafront gave few opportunities.

Through The Gate

Through The Gateway

Two Of Them

Two Of Them

Outside The Walls

Outside The Walls

At Rest

At Rest

Palin – Take Your Foot Out Of Your Mouth !

Media, Politics No Responses »

Jan 132011

Sarah Palin has recently made a speech on the recent shooting spree in Arizona where a congressperson was shot (and probably targeted by the shooter) in relation to the media noise about the aggressive and combative attitudes in US politics at the moment. In it she claimed the media was launching a ‘blood libel‘ against the right-wing in US politics in its criticism of the political debate.

Whether or not she has a point to make, the use of the phrase ‘blood libel’ here is grossly inaccurate and an example of exactly what the media is talking about. Blood libel is the phrase used to describe the hysterical accusations of anti-semites accusing Jews of sacrificing Christian children and draining the blood for some religious purposes – if it hadn’t been used as the excuse for slaughtering Jews throughout history, it would be ridiculous. I am hardly an expert on the US media, but I find it extremely unlikely that anyone from the US media is likely to hunt down any right-wingers, kill them, and drink their blood.

Sarah Palin’s remarks are merely a hysterical over-reaction to a perceived attack on the right-wing. To be fair I should point out that apparently others have used the phrase in US politics recently. Which just goes to show that US politics is little over-heated. Interestingly a conservative commentator has pointed out that the use of this phrase is an indication that Sarah Palin just isn’t of presidential material – presumably presidents are expected to behave and talk in a slightly more dignified fashion.

Did the US media attack the right-wing ?

The US media did comment after the shootings that there is a considerable level of aggression in US politics today, and used an example showing certain US congressional areas targeted with rifle cross-hairs which was published by the right-wing. This could be said to be unfairly criticising the right-wing except that the reason that example was used was that the congressperson who was shot (Gabrielle Giffords) had previously complained about that very publication in which she was targeted.

Personally I don’t believe the right-wing was specifically targeted in the various suggestions that US politics can be a little aggressive. There is a lot to be said for lowering the temperature in US politics – opposition, criticism, discussion and debate are all a part of politics and essential in any healthy democracy. But there’s no need to go too far, and throwing around inappropriate phrases like “blood libel” is certainly an example of that.

I have no doubt that there are Democrats who go too far too.

We have no way of knowing how much the current atmosphere in US politics had an effect on the shooter, and will probably never know. After all he is clearly a deranged individual and he probably doesn’t know himself. The naysayers who claim it had no effect have no way of knowing that. If it did have an effect, it does not make those making inflammatory comments responsible for these shootings – not even to the extent of inciting murder.

But the current state of US politics could have an effect on deranged individuals even if it did not in this case. As such it is worth considering whether toning it down is worthwhile. Say “she’s an idiot” rather than “she’s a traitor”, say “he should be fired” rather than “he should be put in the chair and the switch thrown”. It doesn’t ruin the debate and it might just save someone’s life – isn’t that worth it ?

Older Entries Newer Entries