At the recent launch of Visual Studio 2005 and Framework .NET 2.0 Microsoft also released the important security extension called Web Services Enhancements (WSE) 3.0.
New features are briefly described in this article and analyzed in this video.
Today Microsoft also released some hands on labs to try all new possibilities WSE 3.0 offer to .NET developers.
Thursday, November 24, 2005
Tuesday, November 22, 2005
New way of spamming on blog comments
Spamming on blogs comments is raising at impressive rate. Defensive systems diffusion raises as well.
Google for example initially activated the word verification check for its Blogger platform. Then, seeing automatic checks can be workarounded, started relying on human interaction, activating comments moderation.
But also comment moderation can be workarounded as well since spammers evolve quite faster than serial killers.
A new comment just arrived:
At first sight it appears meaningful. But refers to nothing. The only way to verify the subject is to follow the hyperlinked author's name.
Gotcha! The spammer achieved his task.
Luckily the website used by this person was already wiped out by service provider so I didn't see any spam message or triggered any HTML exploit to attack my browser.
Google for example initially activated the word verification check for its Blogger platform. Then, seeing automatic checks can be workarounded, started relying on human interaction, activating comments moderation.
But also comment moderation can be workarounded as well since spammers evolve quite faster than serial killers.
A new comment just arrived:
I really appreciate people like you who take their chance in such an excellent way to give an impression on certain topics. Thanks for having me here.
At first sight it appears meaningful. But refers to nothing. The only way to verify the subject is to follow the hyperlinked author's name.
Gotcha! The spammer achieved his task.
Luckily the website used by this person was already wiped out by service provider so I didn't see any spam message or triggered any HTML exploit to attack my browser.
IPv6 and Mobile IPv6
Who buyed the book Understanding IPv6, Joseph Davies, Microsoft Press, November 2002, can check a new whitepaper about what changed in these 3 years: Updates to Understanding IPv6.
At the same time Microsoft published another interesting whitepaper about Mobile IPv6, technology permitting a wireless device to move from a location to another (access point or radio bridge) mantaining same IP address (the so called IP Mobility Support, 1996 proposed standard).
Lastly I suggest reading a new article published on The Cable Guy corner of Microsoft TechNet describing IPv6 implementation developed in the upcoming Microsoft operating system, Windows Vista.
At the same time Microsoft published another interesting whitepaper about Mobile IPv6, technology permitting a wireless device to move from a location to another (access point or radio bridge) mantaining same IP address (the so called IP Mobility Support, 1996 proposed standard).
Lastly I suggest reading a new article published on The Cable Guy corner of Microsoft TechNet describing IPv6 implementation developed in the upcoming Microsoft operating system, Windows Vista.
Saturday, November 19, 2005
Whitepaper: Creating a Patch and Vulnerability Management Program
The National Institute of Standards and Technology (NIST) publishes since years high quality guides on various IT security topics.
Still today its hardening guides are an holy text if you don't trust using automated hardening tools like Bastille Linux, Microsoft Security Configuration Wizard (SCW) or Sun Solaris Security Toolkit (JASS).
Now the NIST releases second version of one of the most interesting guide at all: Creating a Patch and Vulnerability Management Program .
The 75-pages document doesn't analyze existing market solutions but describes fundamentals aspects in a company strategy for system patching. And these aspects work for every vendor you're going to choose.
It starts evaluating the real need for an IT assets system (to be created with asset management tools), then analyzing the patch distribution lifecycle (vulnerability reports monitoring, patch downloading, lab implementation and testing, production implementation), and finally arriving to the selection criteria to use for savvy choosing a so called enterprise patching solution.
As some times I said on this blog, many companies limit actions related to a new security product to buying it, installing it and adding it to the huge list of maintenance tasks IT staff already has.
Where in this case the maintenance means: download new patches every day if an automatic updating synchronization exists, download new patches when you have time if it doesn't exist, immediately install new patches on production servers (or at least after working hours for rebooting needs). That's it.
In Italy I never saw a serious patch management policy applied in a large company.
The maximum efford for some of them is waiting 1 month after the patch release to be sure it didn't caused damage to other companies and the vendor didn't released a second version...
Still today its hardening guides are an holy text if you don't trust using automated hardening tools like Bastille Linux, Microsoft Security Configuration Wizard (SCW) or Sun Solaris Security Toolkit (JASS).
Now the NIST releases second version of one of the most interesting guide at all: Creating a Patch and Vulnerability Management Program .
The 75-pages document doesn't analyze existing market solutions but describes fundamentals aspects in a company strategy for system patching. And these aspects work for every vendor you're going to choose.
It starts evaluating the real need for an IT assets system (to be created with asset management tools), then analyzing the patch distribution lifecycle (vulnerability reports monitoring, patch downloading, lab implementation and testing, production implementation), and finally arriving to the selection criteria to use for savvy choosing a so called enterprise patching solution.
As some times I said on this blog, many companies limit actions related to a new security product to buying it, installing it and adding it to the huge list of maintenance tasks IT staff already has.
Where in this case the maintenance means: download new patches every day if an automatic updating synchronization exists, download new patches when you have time if it doesn't exist, immediately install new patches on production servers (or at least after working hours for rebooting needs). That's it.
In Italy I never saw a serious patch management policy applied in a large company.
The maximum efford for some of them is waiting 1 month after the patch release to be sure it didn't caused damage to other companies and the vendor didn't released a second version...
Traffic monitoring and privacy safeguard
When a company reaches a certain size has, among many, at least 3 typical needs:
One of the best product satisfying all these needs surely is Websense (even if it sports some terrible technical issues and a very unfriendly support).
This tool can limit Internet access to authorized websites and protocols (need 1), it can limit access to authorized websites during defined hours and to authorized protocols for defined quotes of overall traffic (need 2), it can block sessions looking for forbidden application data (need 3).
Even if these needs are satisfied and Websense can count on a wide and updated URL database, it always had difficulties penetrating italian market.
The problem relies on its reporting module which is very powerful and able to trace every network activity to a specific employee (through its IP address or user crendentials): this put companies in trouble with italian law about privacy.
The worst thing is that this feature cannot be disabled.
Since few weeks Websense released its 6.1 version, introducing the anonimity tracing feature, for both IP address and user credential.
This change is enough (I actually don't know if Websense in the only content filtering product offering this feature) to consider the product in every country having privacy concerns, first of all Italy.
- reducing company resources abuse, gaining back employees productivity
- optimizing not-limited company resources
- verifying the correct use of not-limited company resources and safeguarding from employees malicious activities on the Net
One of the best product satisfying all these needs surely is Websense (even if it sports some terrible technical issues and a very unfriendly support).
This tool can limit Internet access to authorized websites and protocols (need 1), it can limit access to authorized websites during defined hours and to authorized protocols for defined quotes of overall traffic (need 2), it can block sessions looking for forbidden application data (need 3).
Even if these needs are satisfied and Websense can count on a wide and updated URL database, it always had difficulties penetrating italian market.
The problem relies on its reporting module which is very powerful and able to trace every network activity to a specific employee (through its IP address or user crendentials): this put companies in trouble with italian law about privacy.
The worst thing is that this feature cannot be disabled.
Since few weeks Websense released its 6.1 version, introducing the anonimity tracing feature, for both IP address and user credential.
This change is enough (I actually don't know if Websense in the only content filtering product offering this feature) to consider the product in every country having privacy concerns, first of all Italy.
Thursday, November 17, 2005
Free Cisco online courses on IPS 4200 devices
Cisco just released two 30-minutes online courses on two configuration topics of IPS 4200 series sensors (that sensors put in end-of-life by the new Cisco ASA device):
Cisco courses quality is always good and both arguments are interesting enough to spend 1 hour if you work with this product.
- Understanding and Configuring In-Line VLAN IPS
Learn the difference between uplink inline IPS and inline VLAN IPS, as well as how to configure inline VLAN IPS. After a brief explanation of how inline VLAN IPS works, watch a step-by-step demonstration of the configuration process. - Cisco Incident Control Server
Learn how to use the Cisco Incident Control Server (Cisco ICS) to mitigate network worms and viruses. After a brief explanation of how the Cisco ICS works, watch a step-by-step demonstration of how to configure the ICS and using the IDM to verify its functionality.
Cisco courses quality is always good and both arguments are interesting enough to spend 1 hour if you work with this product.
Wednesday, November 16, 2005
AS/400 security guide
One very valid thing of IBM is its RedBooks department which produces very high quality and technical depth books on many topics, even not IBM related.
One less valid thing instead is the totally absence of informations about iSeries systems (formely known as AS/400) security, widespreads in italian companies, from small businesses to large banking institutes.
Finally today is out a great Redbook about iSeries i5/OS 5.3 security:
IBM eServer iSeries Security Guide for IBM i5/OS Version 5 Release 3.
Here the contents:
One less valid thing instead is the totally absence of informations about iSeries systems (formely known as AS/400) security, widespreads in italian companies, from small businesses to large banking institutes.
Finally today is out a great Redbook about iSeries i5/OS 5.3 security:
IBM eServer iSeries Security Guide for IBM i5/OS Version 5 Release 3.
Here the contents:
- Part 1. Security concepts
- Chapter 1. Security management practices
- Chapter 2. Security process and policies
- Chapter 3. iSeries security overview
- Chapter 4. iSeries security fundamentals
- Chapter 5. Security tools
- Chapter 6. Security audit journal
- Chapter 7. Confidentiality and integrity
- Chapter 8. TCP/IP security
- Chapter 9. Cryptographic support
- Chapter 10. Virtual private network
- Chapter 11. Firewalls
- Chapter 12. iSeries server authentication methods
- Chapter 13. Single signon
- Chapter 14. Regulations and standards
- Chapter 15. Security monitoring
- Chapter 16. Considerations and recommendations
Part 2. Basics of iSeries security
Part 3. Network security
Part 4. Authentication
Part 5. Security management
Check Point releases InterSpect NGX
InterSpect is the Check Point network appliance delivering traffic at ISO/OSI layers 2 and 3 (acting as bridge, switch or router)while checking it at layers 4-7, thanks to the Check Point SmartDefense/Application Intelligence/Web Intelligence application inspection engine.
Till today it didn't had a huge success because of its high price and unavoidable performace degradation the application inspection engine causes.
Today is out the NGX release based on the namesake new platform, providing a new quarantine feature: the Rogue PC Containment.
The hyped name, as Check Point tradition, hides an Endpoint Security agent, which eventually presumibilmente (I'm waiting for documentation before confirm) will be managed by the Integrity Server.
This last one product was updated less than 1 week ago with the introduction of antispyware checks:
So, if InterSpect is configured to act as a switch or router, Check Point just realized a complete Endpoint Security solution to counter-attack Cisco (actually both miss software patch management, but we should wait their product could interoperate with the next Microsoft WSUS version), and this could be a great boost for the device.
Here the official announcement: http://www.checkpoint.com/press/2005/interspectngx111505.html
Till today it didn't had a huge success because of its high price and unavoidable performace degradation the application inspection engine causes.
Today is out the NGX release based on the namesake new platform, providing a new quarantine feature: the Rogue PC Containment.
The hyped name, as Check Point tradition, hides an Endpoint Security agent, which eventually presumibilmente (I'm waiting for documentation before confirm) will be managed by the Integrity Server.
This last one product was updated less than 1 week ago with the introduction of antispyware checks:
So, if InterSpect is configured to act as a switch or router, Check Point just realized a complete Endpoint Security solution to counter-attack Cisco (actually both miss software patch management, but we should wait their product could interoperate with the next Microsoft WSUS version), and this could be a great boost for the device.
Here the official announcement: http://www.checkpoint.com/press/2005/interspectngx111505.html
Sunday, November 06, 2005
Microsoft SQL Server 2005 includes hardening features
The brand new SQL Server 2005, available now for Microsoft Partners and MSDN Subscribers and later this month for all others, includes a new hardening tool called Surface Configuration Area:
With the SAC tool you can configure the networking part, choosing if SQL Server must be remotely reachable (specifying accepted protocols) or locally only (as ISA Server 2004 does when you configure it to use the local MSDE instance):
or some others critical features configuration, like the xp_cmdshell, handling store procedures execution inside the database:
SAC is available on every SQL Server 2005 edition, including the Express one, the free version replacing the old MSDE.
Apart the Surface Area Configuration tool, Microsoft could also release a more recent version of its multi-role hardening tool, the Security Configuration Wizard (SCW), to support new services that SQL and other upcoming back-end product will install on Windows 2003.
Microsoft launched a bunch of online, free SQL Server 2005 courses. I hope there will be at least one about security.
With the SAC tool you can configure the networking part, choosing if SQL Server must be remotely reachable (specifying accepted protocols) or locally only (as ISA Server 2004 does when you configure it to use the local MSDE instance):
or some others critical features configuration, like the xp_cmdshell, handling store procedures execution inside the database:
SAC is available on every SQL Server 2005 edition, including the Express one, the free version replacing the old MSDE.
Apart the Surface Area Configuration tool, Microsoft could also release a more recent version of its multi-role hardening tool, the Security Configuration Wizard (SCW), to support new services that SQL and other upcoming back-end product will install on Windows 2003.
Microsoft launched a bunch of online, free SQL Server 2005 courses. I hope there will be at least one about security.
Wednesday, November 02, 2005
Microsoft ISA Server 2004 Service Pack 2 entering in beta phase
Bits are just be made available, for both Standard and Enterprise versions.
3 new features are introduced:
This SP2 will unlikely fix many errors found till now, probably to be reviewed (if guys at Redmond choose to change approach) in the next product version:
3 new features are introduced:
- HTTP compression
- BITS caching
- HTTP QoS
This SP2 will unlikely fix many errors found till now, probably to be reviewed (if guys at Redmond choose to change approach) in the next product version:
Tuesday, November 01, 2005
Microsoft WSUS database cleaning
On a September post I mentioned an interesting article on how to migrate Microsoft WSUS database from MSDE to SQL 2000 (now, finally, SQL 2005).
But any database you'll have a specific activity will always be needed: periodic removing of unnecessary updates.
Unnecessary updates are ones labelled Superseeded, Expired or initially downloaded and then moved to the Not Approved status (for example because your updating policies are changed).
This task isn't automatically achieved and isn't a product feature.
So to successfully clean the database Microsoft released a command line tool, senseless called Server Diagnostic Tool.
This tool, which real name is WSUS Debug Tool, must be used on the WSUS machine with the PurgeUnneededFile flag:
Better to schedule it at least once a month to control database dimensions.
But any database you'll have a specific activity will always be needed: periodic removing of unnecessary updates.
Unnecessary updates are ones labelled Superseeded, Expired or initially downloaded and then moved to the Not Approved status (for example because your updating policies are changed).
This task isn't automatically achieved and isn't a product feature.
So to successfully clean the database Microsoft released a command line tool, senseless called Server Diagnostic Tool.
This tool, which real name is WSUS Debug Tool, must be used on the WSUS machine with the PurgeUnneededFile flag:
Better to schedule it at least once a month to control database dimensions.
Subscribe to:
Posts (Atom)