After reading this article about fourth-generation rootkits, I can’t help but think that there has to be a better way to get information out about these kinds of threats. Are we warning about pending threats, or are we creating the new threats ourselves? Do these kinds of presentations help us protect our computers and our networks, or do they give the other side the ammunition they need?
You are currently browsing the monthly archive for July 2005.
Tags: Security
Well, the Black Hat conference in Las Vegas certainly generated a great deal of excitement this past week. A security presentation was going to be given about a first-ever exploit for Cisco routers. From what I’ve been able to decipher, Cisco had been working closely with ISS, the company whose researcher (Michael Lynn) was supposed to give the presentation, and both companies apparently agreed that the presentation needed further review. Cisco and ISS jointly filed an injunction against Michael Lynn when he quit his job at ISS to give the presentation anyway; this is after Cisco employees physically removed presentation pages from the books handed out at the conference and destroyed CDs containing information about the presentation.
It appeared as if Lynn was going to give a VoIP presentation instead, but then proceeded with the original presentation anyway, even though he knew it would likely result in lawsuits from Cisco and his former employer. In the presentation, he likened Cisco’s IOS (Internetwork Operating System) to Microsoft Windows XP, saying “IOS is the Windows XP of the Internet.â€
Finally, Thursday, a court order was issued and all parties involved have agreed to the terms of the court order, which restrict them from further sharing or disseminating any information about the security flaw.
Both Cisco and ISS have taken a real hit from this whole situation, and I can understand why. Cisco looks like it’s trying to cover up security vulnerabilities; it was only after all of this that Cisco issued a security advisory discussing the vulnerability. If Michael Lynn’s research was accurate, then it is appropriate for people to know so that our networks can be protected. Cisco network equipment running IOS does, indeed, power a large portion of the Internet. At the same time, if he violated the law and the terms of his agreement with Cisco by reverse engineering IOS, then he should not have publicized that information. But then again, it appears as if Cisco would not have released security information had Mr. Lynn not proceeded with the presentation, so…you see that this issue is sensitive and there are reasonable and understandable concerns on all sides.
To be honest, I don’t know what I would have done if I were in the same situation. The only advice that comes to mind is, “If you do what is right, you can’t go wrong.†But what is “right†in this situation?
That was easier than I expected. I managed to get my hardware firewall to authenticate VPN connections against Active Directory via RADIUS (using Internet Authentication Service, or IAS) without a great deal of effort. In fact, it was almost easy. If I ever get caught up on documentation, I’ll post some details on how to do it on the Mercurion Systems web site.
Tags: Cisco, Microsoft, Networking
With the majority of my Linux servers now authenticating against Active Directory, I’m now able to broaden my integration focus and work on some related tasks:
SASL2/PAM: I still have one server, running SASL2, that has not been switched over to the standard Kerberos/LDAP configuration. I’ll need to research the interplay between SASL2 and PAM before I tackle this one.
OpenBSD Authentication: I haven’t touched any of the OpenBSD servers yet for Kerberos/LDAP authentication.
VPN Authentication via RADIUS: I’d like to use RADIUS to handle some VPN authentication against Active Directory as well. I don’t anticipate this should be too terribly difficult, but it is something that is rather new to me.
Apache Authentication via Kerberos to AD: One of the documents that helped me in getting the pam_krb5 stuff working was for using mod_auth_kerb with Apache (more information also posted here as well). I’d like to deploy this for some select areas of our intranet and extranet sites, to add an additional layer of security on top of what is already present.
Of course, this is in addition to trying to establish an internal news server running INNd (and then migrating content from Exchange Server 2003 into this news server) and working on Squid log analysis tools. I’ll probably start investigating Squid authentication options as well, since that would be very helpful to my customers (especially if I can get the authentication to be transparent, or very nearly so). On top of that I have duties in church, work as a manager overseeing employees, and things to do as a dad. Whew! I often wonder if I am just not efficient with managing my time, or if I just have too much to do.
Well, my Linux-AD integration task is pretty much complete. I have three Linux servers authenticating via Kerberos to Active Directory, and using LDAP for name/group resolution. Only one Linux server remains; I need to do some research on how SASL with interact with PAM before I can switch over that particular server. My OpenBSD server I’m going to leave alone for now; perhaps later I’ll get it integrated as well.
Next, I think I’m going to see what is involved in using RADIUS to authenticate VPN tunnels on my hardware firewall.
Tags: ActiveDirectory, Kerberos, LDAP, Linux, Microsoft, Networking, Windows
I blogged a while back about concerns that spyware makers were adding rootkit functionality to their products to make them harder to detect and harder to remove. It seems that trend has gotten the attention of Microsoft. (About time, I say.)
Microsoft’s Malicious Software Removal Tool has been enhanced with the ability to find and remove rootkit-like trojans and backdoor applications. In addition, Microsoft has indicated that it will likely incorporate anti-rootkit functionality into future versions of its AntiSpyware product, acquired with Giant Software and still in beta.
Rootkits have been reported on virtually all major operating systems, so we can’t really knock Microsoft for allowing rootkits to infect Windows. We can, however, insist that as long as Microsoft makes it possible for the operating system to be compromised in such a significant way through the use of a web browser, then such stuff as Strider Ghostbuster (Microsoft’s anti-rootkit technology) should continue to be offered to Windows users at no charge.
As a quick follow-up to my previous posting, testing with Kerberos authentication from a Linux server with pam_krb5 was successful. Instead of using a user account in Active Directory to generate the keytab, I was able to use a computer account and just had to modify the ktpass.exe command line syntax slightly (see my previous post).
I think I have resolved one minor Linux-AD integration hiccup. In setting up the Kerberos authentication, various instructions I had found (including some from Microsoft) indicated I needed to create a user account for the Linux servers, then use ktpass to generate the Kerberos keytab. This works, but being the stickler for detail that I am, I really wanted to use a computer account instead of a user account.
After fiddling with it for a while, I finally managed to make it work. The ktpass command should look something like this:
ktpass -princ host/fqdn@REALM -mapuser DOMAIN\name$ -crypto DES-CBC-MD5 -pass password -ptype KRB5_NT_PRINCIPAL -out filename
The missing piece, for me, was specifying “DOMAIN\name$†for the mapuser parameter. Without it, the command kept generating an error.
I don’t know for sure that this will work, but I will be testing this within the next day or so to see how it goes.
Tags: ActiveDirectory, Kerberos, Linux, Microsoft, Windows
I stopped by the local LifeWay yesterday to spend a gift card the kids had purchased for me as a Father’s Day gift. While I was there, I found that the latest album from Matthew West, History, was available, so I picked up a copy. Good stuff! I’d heard the latest single from the album, “Next Thing You Know,†on the radio, but as I was listening to it again this morning on the way to church God really blessed me again. It’s funny how a song that maybe you’ve heard a dozen times or more can really touch your heart. To me, that’s just another indicator that no matter how much we think we know God, there’s still more to Him than we could ever imagine.
Anyway, go grab a copy of History and listen to it. I think the Lord will really speak to you.
Tags: Christianity
Well, limited success, anyway. I have managed to get Linux authentication to occur via Kerberos against Active Directory. LDAP is used to lookup the user and group information. Using pam_krb5, authentication occurs via Kerberos to an Active Directory DC for any PAM-aware application. I’m sure that I’ll find some hiccups along the way, but so far things look good. I only have 1 server configured this way for now (a non-essential server), but after some additional testing I’ll expand this to the remainder of my Linux servers.
I’ll post more details here and/or on the Mercurion Systems web site once all the bugs have been worked out. My thanks go out to the many, many individuals who posted information on using Kerberos and LDAP with Active Directory; this would not have been possible without their assistance.
Tags: ActiveDirectory, Kerberos, LDAP, Linux, Microsoft, Windows
Site Sponsors
Recent Bookmarks
- Cisco UCS and Nexus 1000V Design Diagram with Palo Adapter
- Cisco - Standard Break Key Sequence Combinations During Password Recovery
- Cisco - Password Recovery Procedure for MDS 9000 Series Switches
- Shrinker - Puffing Bear
- ClearCal - Anti-glare film for Macs
- VMware KB - Identifying all virtual disks that point to a physical disk
- Solving Rubik's Cube
- Project California: a Data Center Virtualization Server
- Increasing the Queue Depth?
- Getting geeky with Twitterrific and AppleScript | E-mail and Internet | Mac Word | Macworld
Other Links
Additional Site Sponsors
Recent Comments