Home Tags DMZ

Tag: DMZ

Enlarge / One of the Sierra Wireless devices that can be infected by Mirai.Sierra Wireless reader comments 10 Share this story This week, the US government-backed ICS-CERT warned that the troubling new generation of computer attacks is powered by m...
Honeypots provide the best way I know of to detect attackers or unauthorized snoopers inside or outside your organization. For decades I've wondered why honeypots weren't taking off, but they finally seem to be reaching critical mass.
I help a growing number of companies implement their first serious honeypots -- and the number of vendors offering honeypot products, such as Canary or KFSensor, continues to grow. If you're considering a honeypot deployment, here are 10 decisions you'll have to make. 1. What's the intent? Honeypots are typically used for two primary reasons: early warning or forensic analysis.
I'm a huge proponent of early-warning honeypots, where you set up one or more fake systems that would immediately indicate maliciousness if even slightly probed. Early-warning honeypots are great at catching hackers and malware that other systems have missed. Why? Because the honeypot systems are fake -- and any single connection attempt or probe (after filtering out the normal broadcasts and other legitimate traffic) means malicious action is afoot. The other major reason companies deploy honeypots is to help analyze malware (especially zero days) or help determine the intent of hackers. In general, early-warning honeypots are much easier to set up and maintain than forensic analysis honeypots. With an early-warning honeypot, when you detect a probe or connection attempt, the mere connection attempt gives you the information you need, and you can follow the probe back to its origination to begin your next defense. Forensic analysis honeypots, which can capture and isolate the malware or hacker tools, are merely the beginning of a very comprehensive analysis chain.
I tell my customers to plan on allocating several days to several weeks for each analysis performed using a honeypot. 2. What to honeypot? What your honeypots mimic is usually driven by what you think can best detect hackers earliest or best protect your "crown jewel" assets. Most honeypots mimic application servers, database servers, web servers, and credential databases such as domain controllers. You can deploy one honeypot that mimics every possible advertising port and service in your environment or deploy several, with each one dedicated to mimicking a particular server type.
Sometimes honeypots are used to mimic network devices, such as Cisco routers, wireless hubs, or security equipment. Whatever you think hackers or malware will most likely to attack is what your honeypots should emulate. 3. What interaction level? Honeypots are classified as low, medium, or high interaction. Low-interaction honeypots only emulate listening UDP or TCP ports at their most basic level, which a port scanner might detect.

But they don't allow full connections or logons. Low-interaction honeypots are great for providing early warnings of malicious behavior. Medium-interaction honeypots offer a little bit more emulation, usually allowing a connection or logon attempt to appear successful.

They may even contain basic file structures and content that could be used to fool an attacker. High-interaction honeypots usually offer complete or nearly complete copies of the servers they emulate.

They're useful for forensic analysis because they often trick the hackers and malware into revealing more of their tricks. 4. Where should you place the honeypot? In my opinion, most honeypots should be placed near the assets they are attempting to mimic.
If you have a SQL server honeypot, place it in the same datacenter or IP address space where your real SQL servers live.
Some honeypot enthusiasts like to place their honeypots in the DMZ, so they can receive an early warning if hackers or malware get loose in that security domain.
If you have a global company, place your honeypots around the world.
I even have customers who place honeypots that mimic the CEO's or other high-level C-level employees' laptops to detect if a hacker is trying to compromise those systems. 5.

A real system or emulation software? Most honeypots I deploy are fully running systems containing real operating systems -- usually old computers ready for retirement. Real systems are great for honeypots because attackers can't easily tell they're honeypots. I also install a lot of honeypot emulation software; my longtime favorite is KFSensor.

The good ones, like KFSensor, are almost "next, next, next" installs, and they often have built-in signature detection and monitoring.
If you want low-risk, quick installs, and lots of features, honeypot emulation software can't be beat. 6. Open source or commercial? There are dozens of honeypot software programs, but very few of them are supported or actively updated a year after their release.

This is true for both commercial and open source software.
If you find a honeypot product that's updated for longer than a year or so, you've found a gem. Commercial products, whether new or old, are usually easier to install and use. Open source products, like Honeyd (one of the most popular programs) are usually much harder to install, but often far more configurable. Honeyd, for example, can emulate nearly 100 different operating systems and devices, down to the subversion level (Windows XP SP1 versus SP2 and so on), and it can be integrated with hundreds of other open source programs to add features. 7. Which honeypot product? As you can tell, I'm partial to commercial products for their feature sets, ease of use, and support.
In particular, I'm a fan of KFSensor. If you choose an open source product, Honeyd is great, but possibly overly complex for the first-time honeypot user.
Several honeypot-related websites, such as Honeypots.net, aggregate hundreds of honeypot articles and link to honeypot software sites. 8. Who should administer the honeypot? Honeypots are not set-and-forget it solutions -- quite the opposite. You need at least one person (if not more) to take ownership of the honeypot.

That person must plan, install, configure, update, and monitor the honeypot.
If you don't appoint at least one honeypot administrator, it will become neglected, useless, and at worst, a jumping-off spot for hackers. 9. How will you refresh the data? If you deploy a high-interaction honeypot, it will need data and content to make it look real.

A one-time copy of data from somewhere else isn't enough; you need to keep the content fresh. Decide how often to update it and by what method. One of my favorite methods is to use a freely available copy program or a copy commands to replicate nonprivate data from another server of a similar type -- and initiate the copy every day using a scheduled task or cron job.
Sometimes I'll rename the data during the copy so that it appears more top secret than it really is. 10. Which monitoring and alerting tools should you use? A honeypot isn't of any value unless you enable monitoring for malicious activity -- and set up alerts when threat events occur.

Generally, you'll want to use whatever methods and tools your organization routinely uses for this.

But be warned: Deciding what to monitor and alert on is often the most time-consuming part of any honeypot planning cycle.
Patch, then patch this, this, this, this, this, this, this, and this Cisco is warning admins to apply a patch for a critical WebEx vulnerability, one of nine fixed this week. The remote code execution flaw (CVE-2016-1482) could allow attackers to execute arbitrary commands on WebEx servers. Admins can only apply the patch and do not have an option to deploy work-around mitigations. "A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system," Cisco wrote in an advisory. "The vulnerability is due to insufficient sanitization of user-supplied data processed by the affected software.

An attacker could exploit this vulnerability by injecting arbitrary commands into existing application scripts running on a targeted device located in a DMZ [and] could allow an attacker to execute arbitrary commands on the device with elevated privileges." Denial of service attacks affect Cisco's Web Security Appliance, WebEx server, IOS XE software, and carrier routing system. That WebEx server flaw (CVE-2016-1483) is rated high severity and occurs thanks to improper validation of user accounts by specific services. "An unauthenticated, remote attacker could exploit this vulnerability by repeatedly attempting to access a specific service, causing the system to perform computationally intensive tasks and resulting in a denial of service attack condition." ®
Leading IT and Network Management Software Provider Adds New Managed File Transfer Products and EditionsLONDON, UK, 4 August, 2016 – Ipswitch, the leader in easy to try, buy and use IT and network management software, today announced the launch of Ipswitch MOVEit 2016 – underscoring their position as the industry leader in secure Managed File Transfer.
Ipswitch MOVEit 2016 provides new easy to buy, high value editions – Standard, Professional and Premium – for all MOVEit Transfer and MOVEit Automation products.
Ipswitch is also debuting Ipswitch MOVEit Complete, an all-in-one solution for secure Managed File Transfer, delivering the best value possible at the lowest total cost of ownership. MOVEit 2016 strengthens the ability of today’s IT teams to ensure secure and compliant internal and external file transfers.
It also automates workflows and automatically generates reports while ensuring zero downtime and no data loss. MOVEit Central In addition, MOVEit 2016 contains the all new Ipswitch Gateway module allowing the MOVEit Transfer module to sit behind the firewall.

Targeted to industries where IT teams may require multi-layered security, such as healthcare, financial services, insurance, retail, and government, Ipswitch Gateway acts as a proxy securely communicating with MOVEit Transfer installed behind the firewall of the internal network. Ipswitch GatewayRegulations such as PCI, HIPAA, FISMA, and GDPR dictate security and process requirements that are interpreted by Risk and Compliance teams into internal policies to govern business and IT operations.

As these regulations have evolved, internal policies are also evolving to require new layers of security between the public Internet and protected data.
Ipswitch Gateway responds to these increasing demands by providing an intermediary function that is deployed in the DMZ network between the Internet and the company’s secured network.

This enables file transfer, authentication and encrypted data storage activities performed by MOVEit Transfer to occur solely within the trusted secure network behind the firewall further protecting the enterprise from Internet threats.

By deploying MOVEit Transfer with Ipswitch Gateway, IT teams can: Ensure that no data ever resides in the DMZ portion of the network Eliminate all exposure of secured networked resources and authorisation services to the DMZ network Provide multi-layer data security with controlled access to user credentials stored inside the network trusted zone James Lewis, Managing Director at Pro2col, comments: “Data protection regulations in the UK are in a state of flux.

As such, it’s more important than ever for companies to adopt an intelligent, bullet-proof approach to moving digital data that minimises their exposure to risk.

Companies therefore need software that is able to maintain compliance with fast changing data privacy and disclosure directives, while also protecting valuable, sensitive data from unauthorised access.

As such, we welcome the launch of Ipswitch MOVEit 2016 and understand how important this latest version will be for all our customers.” Pro2col is a Gold Partner, the highest partner accreditation awarded by Ipswitch. MOVEit CompleteTo simplify IT teams’ Managed File Transfer needs, Ipswitch is introducing MOVEit Complete – an all-in-one Managed File Transfer solution which combines MOVEit Transfer, MOVEit Automation, Ipswitch Analytics and the newly introduced Ipswitch Gateway.

This new package will be offered in three tiered editions: Standard, Professional and Premium. “Ipswitch Gateway serves as an important proxy between inbound connections from the public network and your internal trusted network.

This ensures that your transfers of sensitive data are protected behind multiple layers of security,” says Michael Hack, Senior Vice President, EMEA Operations, at Ipswitch. “Our customers are dealing with complicated compliance regulations every day and require a solution with the highest level of security possible for data transmission, one that’s compliant with PCI, HIPAA, FISMA and other critical industry regulations.” New EditionsIpswitch is also introducing new pricing and packaging editions to make it easier for IT teams to buy a solution that meets their exact requirements while increasing the value they receive from their investment. MOVEit Transfer (formerly MOVEit DMZ) and MOVEit Automation (formerly MOVEit Central) will now be offered in Standard, Professional and Premium editions. MOVEit Automation will also be offered in an additional edition, Basic, as an exciting entry point to the MOVEit product line. Pricing and Availability Ipswitch MOVEit 2016 is available immediately Ipswitch Gateway will be available end of August Ipswitch MOVEit Automation Basic price starts at $4,995 Trusted in industries with the highest security requirements including government, finance, and healthcare, Ipswitch’s MOVEit secure Managed File Transfer solution is relied upon to reliably and predictably transfer files containing the most critical and sensitive data for thousands of customers and millions of users helping them exceed SLAs and compliance requirements.
In recognition of Ipswitch’s role in confidently securing sensitive data for all its customers, the company has also been named a participating organisation member with the PCI Security Standards Council, a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. To learn more about MOVEit 2016, please visit: https://www.ipswitch.com/secure-information-and-file-transfer/moveit-mft-complete/whats-new-moveit END About IpswitchToday’s hard-working IT teams are relied upon to manage increasing complexity and deliver near-zero downtime.
Ipswitch IT and network management software helps them succeed by enabling secure control of business transactions, applications and infrastructure.
Ipswitch software is powerful, flexible and easy to try, buy and use.

The company’s software helps teams shine by delivering 24/7 performance and security across cloud, virtual and network environments.
Ipswitch Unified Infrastructure and Applications Monitoring software provides end-to-end insight, is extremely flexible and simple to deploy.

The company’s Information Security and Managed File Transfer solutions enable secure, automated and compliant business transactions and file transfers for millions of users.
Ipswitch powers more than 150,000 networks spanning 168 countries, and is based in Lexington, Mass., with offices throughout the U.S., Europe, Asia and Latin America.

For more information, please visit http://www.ipswitch.com/, or connect with us on LinkedIn and Twitter. Media Contact:Robert Fretwell or Richard WolfeTOUCHDOWNPROffice: +44 (0) 1252 717 040ipswitch@touchdownpr.com