Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

31 December 2007

6 Tips to Stop Spywares and Adwares

Every now and then one of my friends or family members tell me that he has got a Spyware or Adware on his PC, and asks me what to do. There are many free Antispywares out there, but in fact they never succeeded in helping those guys. Antivirus vendors are mocking us by claiming that Viruses and Spywares are two different things, I think they keep saying so just because their Antivirus softwares are not able to remove Spywares.

Here you are 6 tips to protect yourself from Spywares, Adwares, etc. In fact I cannot see any difference between Spyware and Adwares so I'll call them all from now on Crapwares.

1. Beware of Toolbars et al:
I have to put this as number one, Crapwares are always hidden inside Browser Toolbars, Screen Savers, Games, and MSN Plugins. For the love of God, please do not install such crap on your PC's. Away from the Spywares, please tell me what's the point of downloading a freak toolbar in your browser to make it look ugly and crowded, and what's the point of installing a plugin in your MSN or Yahoo Messenger to tell you who has blocked you, let those who block you go to hell.

2. FOSS instead of Free:
We all hate to pay money for Software's. But instead of looking for Free softwares, search for Open Source ones. Open Source Softwares are free but their code is published as well for anyone to see it. It's almost impossible to hide Crapwares in them. Linus Trovalds believes that Software is like Sex, it's meant to be free. And let me add here, it's like Sex, you cannot sleep with someone without knowing what she is hiding under her clothes.

3. A Firewall and a good Antivirus are your Shields:
As I said before, an Antivirus is not the best cure for Crapwares, but an extra layer of security will not hurt you. And most of the time, Crapwares need to connect to their mother ship every now and then to get themselves updated, so a Personal Firewall may not stop them from infecting you but it will stop them from getting updates and morphing in Crappier-wares.

4. Beware of malicious sites:
But wait a minute, how can we identify malicious sites? Ok, McAfee decided to do this for us freely. You can just download their SiteAdvisor Plugin, and every time you search for something in Google or Yahoo or visit a certain web site, it will mark safe sites in green and malicious ones in red.

5. Firefox instead of IE:
Internet Explorer, or sometimes known as Internet Exploder, it the dominant browser out there, So Crapwares creators and malicious sites tailor their softwares for it, so why not use a better yet not very dominant browser such as Firefox or Opera. I know this is somehow Security through Obscurity, but believe me it helps sometimes.

6. Pop-ups are bad:
Sometimes, pop-up windows try to deceive you by making themselves look like Windows warning messages and claim that you PC is infected or not healthy. They may ask you to click on a certain link in order to fix this problem. So, please beware of those evil pop-ups. I know, that sometimes normal use pop-ups, so it's hard to ask you to totally block pop-up, but what I normally do here is to block them by default and allow them only on the sites I trust.

Tags: , ,

20 December 2007

Firewalls Evolution - From Application Aware to UTM

As mentioned earlier, Firewalls were very successful in segmenting the Network into different Zones and protecting those different zones from each other by controlling who is supposed to talk to who using which protocol or application. But later on, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. So firewalls were not limited to Layers Three and Four (Network and Transport Laters) as they used to be, but they were able to decode the Application Layer as well.

On the other hand Proxy Firewalls such as Microsoft ISA - I know it’s a piece of crap - but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO (Small Office and Home Office) and SMB (Small to Medium Business) networks.

So Firewall vendors decided to focus more on the Application Layer, but this time it wasn't just an evolution. A new device was introduced to the market which is UTM.

A Network Layer is a Network Layer, but when it comes to Application Layer, we have dozens of Applications and each have its own security requirements. For SMTP, Spam is your enemy. When it comes to File Sharing, CIFS, FTP, HTTP, SMTP and POP3, you should check the files being transferred to make sure they do not contain Viruses. IPSs and IDSs are needed to protect you from the different worms and exploits that span from layer 2 up to layer 7. So, this is what UTM’s are doing, it’s a box - mainly a firewall - with many other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS.

Some people may argue that UTMs are not mature enough and they add complexity to the network. They also believe that an all-in one solution may not be suitable for large networks with high throughput. That's why when it comes to ISP's and large Data Centres they prefer to install separate best-of-breed devices - Firewall, IPS/Deep-Inspection, AntiSpam - each is responsible for a certain task. But in some other locations an all in one box (UTM) can reduce the cost and complexity. Also it's sometimes hard to find a good stand-alone Network Based Antivirus or Web Filtering Solution and in such case having those components in a UTM may be your best choice.

Finally, most of the Firewall vendors now are moving towards the all-in-one solution and I guess in the near future the UTM's will be mature enough so that stand-alone devices will be something from the past.

Tags: , ,

13 December 2007

Intrusion Detection Systems

In order to be able to continue my discussion about Firewalls Evolution, I have to take you today to a different subject. As I said before, "Firewall is a device that divides the network into different Zones, and controls Who's is supposed to talk to Who, using which Applications (Service), across those different Zones". But once Client (C) is allowed to talk to Server (S) using Application (A), he is then allowed to send whatever traffic he wants to that Application.

What's the difference between a Firewall and an IDS?
Let's say that Application A is Vulnerable to XSS (Cross Site Scripting), i.e. it has a bug, and Attackers can send Malicious Traffic to this Application that can harm that Server or those people who deal with it taking advantage of this bug. A Firewall can only block people from accessing this Application or permit them, but it can never know if this traffic is Malicious or not. A Firewall is only capable of inspection up to layer 4 (The Transport Layer), hence another solution is needed in order to inspect traffic up to layer 7 (The Application Layer). This solution is called an IDS or Intrusion Detection System.

How does an IDS work?
But what kind of magic does IDS's do in order to detect those attacks. We are now in the application layer and there is no 5-tuple to inspect anymore, so IDS's use various techniques to detect attacks. Let's go back to our XSS example.
Imagine a web forum where different users can post articles and comments etc. So an attacker can forge his post to contain some HTML tags or JavaScript in stead of clear text. So the result will be the execution of that HTML tags or JavaScript in the other forum visitors' browsers.
Gr33n Data: Cross Site Scripting - XSS
So a simple IDS can look for a certain pattern - here it will be an HTML Tag - in the traffic sent from the Client to the Web Server. The HTML Code is normally sent from the Server to the Client and not in the other direction. This kind of Intrusion Detection Technique is called Signature Based Detection. Another Technique used by IDS's is Behavior Based Analysis or Traffic/Protocol Anomaly Detection. When someone's PC is infected by a worm, it normally tries to connect to hundreds or even thousands of other PC's in order to try to infect them. This is how worms normally propagate and this is what differentiate worms from viruses. So an IDS that is able to detect Traffic Anomalies will know that a certain PC is infected by a worm when it starts sending traffic to a large number of PC's in a short period.

By they way, the Antiviruses you use on your PC use similar techniques to detect malwares. And you know what, the Antivirus updates you download every now and then are files containing those signatures used by it in the Signature Based Detection. And yes, an IDS needs tp get periodic updates too, just like Antiviruses.

The Signature Based Detection is more accurate than Behavior Analysis in detecting Attacks, but Signature Based Detection can detect Known Attacks only while Behavior Analysis can detect both Known and Unknown Attacks, which are sometimes called Zero-Day Attacks. That's why Intrusion Detection Systems depend on both techniques together and sometimes they implement more proprietary techniques.

Accuracy, what do I mean by accuracy?
When there is an Attack and the IDS doesn't detect it, they call this False Negative, and on the other hand when there is no Attack and the IDS thinks that there is one, they call it False Positive. A good IDS is the one that tries to minimize both False Negatives and False Positives.

IDS is dead, long live the IPS
IDS is more complicated than a Firewall, it needs more processing and analysis that may impose some delays. It's also not accurate. That's why people preferred not to deploy them inline. The traffic doesn't pass by them, they just see a copy of it, and they do not take actions to block or permit traffic, they are just passive devices that fire an alarm whenever they detect an attack.

And that's why a few years ago a new technology was born, an IPS is just an IDS but it is deployed inline and capable of tacking the decision to block or permit traffic. By doing so IPS vendors were forced to increase their products accuracy as well as processing power.

IPS Vendors
Now a days that top players in the IPS field are Tipping Point (3Com), IntruShield (McAfee), NetScreen IDP (Juniper), and ISS Proventia (IBM). Cisco also have their own *quote* IPS *quote*. And if you are an Open Source fan, you can try Snort, these guys have good documentations and papers here.

Tags: , ,

09 December 2007

Firewalls Evolution

As discussed in the previous article, a firewall simply inspects the traffic, and takes the decision to permit or block the packets based on the different fields in the third and fourth layers headers. In face, this task can be done by the Access Lists found on all the available routers in the market.

The Access List decided to permit or block the traffic based on the following 5-Fields:
1. Source IP-Address
2. Destination IP-Address
3. Protocol (TCP, UDP, ICMP, etc.)
4. Source Port
5. Destination Port
In the late nineties the idea of Stateful Firewalls was introduced. As you know, when two hosts communicate, they keep sending and receiving packets. So in the case of Access List, two rules have to be added in both directions for those hosts to be able to communicate. But Stateful Firewalls on the other hand are smarter than this. They keep track of the Session, and that's why in Stateful Firewalls you only have to create one rule from the Client to the Server, traffic from the Server to the Client will be treated as a part of the session, and that's why you won't need to add an extra rule in such direction.

Stateful Firewalls are also more secure than Access Lists, as packets that doesn't belong to an active session will be dropped. The presence of Session Table in Stateful Firewalls improves their performance as they only need to check the rules in the first packet of the session.

1. Please tell me if the subject is not clear enough, or if you feel that I have to write more details in order to clarify it.

2. You can read more about Stateful Firewalls here and here.

Tags: , ,

08 December 2007

The Firewall

The Firewall, it's the cornerstone of the Network Security design. In today's networks, a Firewall is a device that divides the network into different Segments (Zones), and controls Who's is supposed to talk to Who, using which Applications (Service), across those different Zones.

Most of the time in enterprise networks, they have two layers of Firewalls, one at the Gateway - Just behind the Gateway Router - and the other one in the Data Centre.

The Gateway firewall is also called the Perimeter firewall, its main task is to control which resources on your local LAN are to be accessed from the outside world, normally from the Internet. And on the other direction, it controls what your local users are allowed to do when going outside, normally to the Internet. The Data Centre firewall on the other hand is intended to protect the resources in your Data Centre - mainly Servers - from the outside as well as from the different Zones in your local network.


Sometimes, people who have a tight budget consolidate the Gateway and the Data Centre firewalls into one firewall. Also this is suitable for remote branches and small offices.

The computers in the networks world communicate by sending and receiving packets. These packets contain beside the date (payload), the source and destinations addresses (IP Addresses) of the sender and receiver, as well as the service they are using (Protocol and Port Number). So let's say, if you want to define a rule in your firewall to let user A in the Users Zone, connect to the Web Server B in the Data Centre, the rule will contains the address of A in the source IP field and the Address of B in the Destination IP field, and the Web Service (Protocol=TCP, Destination-Port=80) in the Service field.

It's really funny that a company like McAfee claims that they are a Security Vendor, while they do not have firewalls in their products portfolio. If I were in there shoes, I would have bought some firewall only company such as Fortinet, Checkpoint, Stonesoft or even a start-up like Palo Alto Networks.

Tags: , ,


About 10 days ago, I wrote a post about forking my blog into two separate blogs. And now you are here in the technical one. So what are my plans for this blog?

During university years, I was fond of subjects such as Computer Architecture, Networking and Programming the most. I was also introduced to Linux during my graduation project, which was an implementation of Differentiated Services using Linux Traffic Control. Later on after graduation, I worked in the field of Computer Networks and Network Security. So I am planning to focus on Networks, and mainly Network Security. I think, I'll try to write about the various trends and technologies in such field, I may also try to write about the market trends and do competitive analysis. I will try to be as vendor neutral as I can, and will try sometimes to focus more on the Egyptian market.

Finally, these are my plans for now, however I am looking forward to hearing your feedback.

Tags: , ,