• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security professional - Chris Brenton

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Sun Aug 14, 2005 9:18 pm    Post subject: Interview with a security professional - Chris Brenton Reply with quote

We have another installment of “Interview with a security professional”. This time Chris Brenton SANS instructor, and computer security consultant has given generously of his time to answer some questions for us.

Question

Seeing as you teach a SANS track based on firewalls, and vpn technology what would you say is important to have knowledge wise to make the best of these technologies?


Chris’s answer

I think the most important skill is a fundamental knowledge of IP and how it works. Specifically, how an IP stack responds to certain stimuli. For example one of the things I cover in the SANS Perimeter track is just how much information is stored in ICMP error packets. Its trivial to tell the difference between a "normal" ICMP error and a covert communication channel if you know what to look for. Once you get a good feel for the ebb and flow of IP, lots of pieces fall into place. As another example I teach my students how to analyze fields like the TTL and IP ID so distinguishing between things like a straight scan, a decoy scan or an idle scan becomes much easier.

I think a strong understanding of IP also helps you sort through vendor FUD as well as tell when your tools are misleading you. In my time I've seen quite a few tools not live up to their marketing claims, or that have been flat out wrong in their diagnosis of what's going on with the network. If you understand how IP actually works, it much easier to sort through all this for yourself.

Question

Where do you see the future of firewall technology going?


Chris’s answer

Over the next five years I think we're looking at more "evolution" rather than "innovation". The first problem is every network has different business needs and thus different requirements for security. The other problem is that every technology has both strengths and weaknesses. With this in mind diversity in products is going to continue to be a requirement. Unfortunately there are no silver bullets on the horizon.

I'll give you a good example. Stateful Inspection (SI) is widely regarded as being superior to rudimentary static packet filtering. For the most part this is true as it plays much better with complex protocols like DCOM and FTP. The problem is the SI code needs to be far more complex to deal with these protocols and as you increase complexity you also increase the chance of running into security problems. I've seen more than one SI firewall become breached by an attacker by who has figured out how to leverage bugs/features in the code. In almost every case the addition of a static packet filter was sufficient to neutralize the problem. This was usually due to the fact that the code for the static packet filter was simpler and did not exhibit the same problems. Now I'm not saying that everyone should rip out their SI firewall and replace it with a static filter. What I'm saying is that each technology has its strengths so defense in-depth layering is usually your best bet. You can't get that out if a single product.

Question

Any thoughts on the re-branding of old technology ie: intrusion prevention systems from an inline intrusion detection system?


Chris’s answer

I see this as a side effect of products evolving rather than someone coming up with an idea that truly revolutionizes the concept of perimeter security. Another great example is network based intrusion prevention systems. The systems I've looked at are little more than SI firewalls with a bit more code and a much higher price tag.

Think of it this way, if I'm a salesman and I walk into your office and say "Buy our stateful inspection firewall", you are probably going to respond "No thank you, I already have one I'm happy with". If however I walk in and say "I'm selling a network based intrusion prevention system", you are far more likely to respond "Ohhh, I don't have one of those yet! Can I get three?". So repackaging is nothing new and companies have been using it to successfully push products for years. To refer back to a comment I made earlier, if you understand the fundamentals it becomes much easier to tell the difference between something revolutionary and something that just has a shiny new wrapper.

Question

In your experience do end users actually pay attention to f/w logs, and if not what do you see as the reason for them not doing so?


Chris’s answer

I personally think logging is one of our best security tools, but that it is the most overlooked. I think the core problem is that dealing with the sheer quantity of information that gets logged on a typical network is enough to dissuade most admins from giving it more than just a cursory look.

In the SANS perimeter track I've dedicated close to a day's worth of material towards processing different types of log information. The framework for each information source is usually the same:
1) Take everything you understand and move it out of the way
2) Figure out what caused everything else to occur

Its a matter of shifting your consciousness from processing your logs in a linear time based fashion to something a bit more palatable. For example instead of trying to review a firewall log with 24 hour's worth of information line by line, it might be easier to break it out into separate files based on activity or targeted service. You can then further sort on source and/or target IP. The nice thing about this process is its easy to automate via shell scripts or batch files. The example I use in class is a firewall log with just under 200,000 line entries. I show the class in a hand's on lab how a script can help you automatically sift through this file and target the six truly interesting lines it contains in less than a minute.

If I had to specify which aspect of logging gets ignored the most, I would have to say its outbound traffic. Many admins religiously log what comes at their network, but tend to ignore what's leaving it. I've received many an abuse report from people claiming one of my systems was attacking them, only to find in my logs that the packet in question was simply a response to stimuli initiated on their end. Had they been logging outbound traffic, they would already know why my routers are sending them ICMP host unreachable packets.

In my mind focusing solely on inbound traffic is also a bit backwards. For example an inbound TFTP attempt is probably just some script kiddie or zombie system. If you have a decent perimeter its not going to be a problem. If your internal Web server is generating outbound TFTP sessions however, that's something you need to respond to right away.

Question

Do you see packet filtering f/w’s eventually disappearing in favour of application layer f/w’s?


Chris’s answer

I honestly don't. Again, both technologies have their strengths and weaknesses. For example SI makes a great high speed traffic cop but it does a horrible job at payload inspection. SI also makes a far more secure firewall platform however because unlike proxies you can run an SI firewall with no open listening ports. So in an ideal defense in-depth network you would have an SI firewall at the most exposed point of your perimeter figuring out which ports to let through. Behind it would be application layer firewalling that performs much better content checking.

Question

What are your thoughts on Microsoft’s ISA?


Chris’s answer

Like most tools I think it has its strengths and weaknesses. I think its an excellent tool for authenticating outbound Internet access in a Windows environment, enforcing content and virus checking, etc. However I would never expose ISA on the outskirts of a perimeter. Yes I know Microsoft says that ISA is finally a true firewall, but we've heard that before. I would not want one of my clients to be the first to figure out its easy to breech. With this in mind, for some environments its a great choice for the back end of the perimeter, provided something is sitting in front of it to help keep it safe.

Question

What advice would you give the budding security professional in terms of what to study, and how to improve their skills?


Chris’s answer

Follow what interests you the most and let the love of the technology drive you. Personally, I started out as a network admin and got hooked on security due to the concept of buffer overflows. From there I moved to firewalls, got bored, and then focused on intrusion detection. When I got bored with that I changed gears and started focusing on logging. After that I switched back to firewalls. Mixed in there somewhere was Windows, Linux, SunOS and HP-UX host based security.

This stuff can be extremely dry if your heart is not in it. With this in mind, its passion that's really going to drive you. I've never focused on a technology because "it was cool". I've always focused on what has my interest the most. Once you change gears a few times you are able to start pulling the puzzle together as a whole to better understand a layered posture. At that point you reach a real Zen with how all this works.

Question

Were you to have a home lab on a fixed budget what would it consist of? Bearing in mind that it would be used for exploits and learning about f/w’s and ids’s.


Chris’s answer

Funny, this question got me thinking about my first home lab. This consisted of a five user version of NetWare and two client systems running DOS 3.3. <grin>

A home lab should reflect what you are trying to learn. For example if the goal is to experiment with exploits or root kits, tools like VMWare and User Mode Linux are your best bet. You can run it all from a single system and its easy to do before and after shots of the file system to figure out what exactly was changed.

If you want to experiment with firewalls, you are looking at three systems and two hubs at a minimum. Yes you could probably use virtual images here as well, but you loose some of the granularity and control. Sometimes the interaction is a bit different with an in-line firewall Vs. a personal firewall.

Question

How important do you feel being that able to program is to your ability to do your job as a security professional?


Chris’s answer

I think its possible to get through your career with zero programming knowledge while relying solely on tools created by other people. I think in the long run however its going to make your job harder. If you want to wrap your brain around exploits, you really need to learn to programming to understand what exactly can go wrong and why. If your goal is simply to become better at running perimeter security, being fluent in Perl and writing scripts will make your life so much easier, as well as allow you to work far more effectively.

Actually, I've seen a trend here that I find a little disturbing. When I started teaching computer security back in 1999, it was not uncommon for a majority of my students to at least have a little bit of a programming background. Today, I would say roughly 10% of my students not only have no idea how to program, but are looking at a command prompt for the very first time when they attend my class. In other words, it seems like the many of the security people coming into the field today are missing many of the basics that would make performing their job so much easier.

Question

Do you have any thoughts or tips that you would like to share with your readers?


Chris’s answer

Get involved with the security community. Contribute to DShield, get on a few SecurityFocus mailing lists and just dive in with both feet. If you are a novice at security, most of what you read may fly right over your head. That's fine and exactly what Google and discussion lists are for. The more you live it the more it will all make sense.

I've had many students ask me "What technology should I focus on in order to earn the most amount of money?". In my mind, that is the wrong question. Yes financial compensation matters, but if you are doing what you love the skills will come naturally and then the money will take care of itself. Personally I've never changed jobs for money, but increased my income in the first five years of my career by a factor of six simply by learning as much as possible. The more you know the more valuable you become and the more options that are available to you.

On behalf of the members, and myself I would like to thank Chris Brenton for his time, and effort in answering these questions for us.

This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.


Last edited by alt.don on Sun Sep 11, 2005 4:13 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Mon Aug 15, 2005 6:44 pm    Post subject: Reply with quote

Props to alt.don and Chris Brenton. Great interview!
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Tue Aug 23, 2005 4:39 pm    Post subject: Reply with quote

Thanks Chris and Don, great questions with great answers.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register