[SecurityRatty] tag: solutions

Cisco 7600 OSR Backbone Router

Sat, 06 Sep 2008 07:25:02 +0000

For our confused CEO blogger over at StreamBase, who thinks an Internet backbone router is the small $30 device he set up in his home office, here is a photo of a the Cisco 7600 OSR which of course runs CISCO IOS.

The Cisco 7600 OSR consists of a 256 Gbps switching fabric and a 30 million packets per second (mpps) forwarding engine. Its breadth of IP services comes from Cisco IOS, which provides features such as security, enhanced QoS, and destination sensitive services. In addition, the Cisco 7600 OSR allows the migration of existing port adapters from Cisco 7500 series routers, via the Cisco FlexWAN module, giving service providers one the industry’s widest array of interface options in any single platform. This provides service providers great flexibility in deploying the Cisco 7600 OSR for a variety of applications, protects their investment in existing systems, and gives them a practical migration path to the New World Optical Internet.

A Revolutionary Platform For Evolving Networks

The Cisco 7600 OSR helps service providers break through service and bandwidth barriers today, while designing networks to scale for future growth. The Cisco 7600 OSR achieves this through “adaptive network processing,” or the ability to evolve the platform for new IP services without hardware upgrades. Unlike fixed, ASIC-based platforms, which are hardware encoded, the Cisco 7600 OSR relies on the highly flexible Parallel eXpress Forwarding (PXF) technology for scalable performance of services. PXF is a patented, Cisco-developed network processor capable of line-rate IP services delivery that can support new IP services through periodic software upgrades. Each OSM has two PXF processors capable of 12 mpps of IP services delivery per interface card.

“IP+Optical combines the dynamism of the Internet world with the foundation of the transport world, creating an infrastructure that can deliver the services that service providers need,” said Lele Nardin, vice president of the Internet Systems Business Unit at Cisco. “Cisco will continue to add innovative solutions on top of this solid foundation to make service providers better equipped to meet the constantly escalating and changing customer demands for new networking services.”

Pricing and Availability

The base Cisco 7600 OSR system is list priced at $73,000 and the entry level system, with interfaces, start at $100,000. The interfaces modules are priced between $27,000 to $180,000. The Cisco 7600 OSR is available now worldwide.

Customers Being Heard Dell OEM Customer Advisory Council

Fri, 05 Sep 2008 11:54:54 +0000

It was a surprise and a great honor when Dell asked us to participate on their Industry Solutions Group (ISG) OEM Customer Advisory Council – even more so when I met some of the other members from companies like Google, Teradata, Siemens Medical and Cisco. Not so shabby.

I arrived in Austin Sunday night to get ready for a factory tour on Monday, a kickoff dinner and then two days of briefings from Dell executives, including Michael Dell himself! Dell’s ISG business is growing at a very fast pace and continues to build momentum and focus within the broader organization.

We had a nice overview of the product roadmap, including some of the exciting enhancements Dell is making to their storage products such as the MD3000 and the new EqualLogic PS5000 series iSCSI solutions.

I really enjoyed the Council meeting and it reminds me all over again; what I admire about Dell is the way they and Michael Dell himself stay close to the customer. The entire purpose of this event is to “get it right” and determine meaningful ways to embrace change (including change in the manufacturing process) in order to make their customers more successful. Ah shucks, you may say that all companies behave this way… well I must tell you that is not true and at times, I find it difficult as we continue to grow to stay as close as I would like to all of our customers varying needs and directions.

This concept of gathering, internalizing and embracing customer feedback is a simple principle of Business Success stories. Always trying to improve the pace of change and build meaningful sticky relationships with customers. Dell’s very successful Ideastorm site where customers post product feedback and are active participants in the Dell community is a great example of how to do this right. No other hardware vendor that we have worked with or attempted to work with has ever gone to the extent of embracing change that Dell has during our 5-year relationship.

From the custom factory integration services to the attention to detail in the order and manufacturing, and logistics processes, Dell helps us execute for our customers and I must admit that we could not have built the business as quickly or efficiently without Dell!

So thank you Michael Dell for building a business that embraces change and is focused on helping your ISG customers succeed.

Should You Install Messaging Security Software on Your Exchange Server?

Fri, 05 Sep 2008 09:00:00 +0000

(Source: Sunbelt Software) Osterman Research shares insights gleaned from a just completed survey that dispel the fears of employing server-based email security solutions. Read this white paper to help you understand the latest Exchange security risks and also learn about reasons why an installed security solution may be the best option for you in countering those challenges.

Safely providing anywhere, anytime network access

Tue, 02 Sep 2008 01:26:33 +0000

Today's business user often needs remote access to email, documents, or other business information, even when a business supplied laptop or desktop is available. This need for secure anytime, anywhere access to business information comes with its own complete set of challenges. But reasonably priced and user-friendly solutions are emerging.

Thieves Target Homeowners and Builders

Fri, 29 Aug 2008 15:51:00 +0000

We have written about thefts of copper wire and even street manhole covers in the past. It appears that new homes and those being foreclosed upon are ripe targets for unscrupulous thieves.

Thankfully, there are many more solutions than in days past. Global Positioning Systems can now be hidden in materials and the thieves can be tracked in real time and the Police notified by the security consultant who has been hired to monitor their movements.

The highlighted link from "The New York Times", tells the sad story of a young couple and their 7 month old child who had to live onsite at their new house for many months in order to deter thieves.

We have spoken with home builders in the past regarding supplying security officers to monitor unfinished homes. One of the hurdles has been the cost of security. The escalating cost of these thefts may now make Home Builders think twice though.

The National Association of Home Builders claims that $5 BILLION a year is being stolen nationally by theives from homes under construction. That would purchase a lot of security services. Not to mention the cost of labor to replace that missing copper wire, plumbing fittings, doors & windows, etc.

Like we always say, thieves are opportunists. If you give them an opportunity such as leaving valuable building supplies unprotected, they will take them. On the other hand, if you put an obstacle in their path such as a site that is monitored by security cameras (with somebody on the other end of the camera - you'd be surprised how many businesses put in cameras but have nobody to monitor them)or a roving security vehicle, they will move along and ply their trade elsewhere.

That is called "target hardening". Quite literally, you make yourself (or your property) a harder, more difficult target. They then move along to some other target. Bad for someone else, but good for you.

Magic Quadrant for Application Delivery Controllers

Fri, 29 Aug 2008 09:00:00 +0000

(Source: Citrix) Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses of solutions, and provides Magic Quadrant reporting for a quick comparison across all vendors. Learn from Gartner how you can benefit from an all-in-one device like Citrix NetScaler that delivers the highest levels of availability, performance and security.

How do you Manage Virtualization if you cant see Performance?

Thu, 28 Aug 2008 21:15:41 +0000

NetIQ, which seemed to drop off the planet not long after being bought by Attachmate, is back with the results of a very interesting virtualization survey. Now, you know that you need to take all surveys with a big grain of salt (e.g., the majority of respondents to this one were less than 10% virtualized), but it’s still good to take temperatures whenever possible.

The numbers we found interesting:

- only 21% currently deploying virtualization have any kind of systems management solutions for their virtual infrastructure

- about 27% are managing performance/ability of virtual systems with same tools they use for physical servers (Nothing wrong with that as long as they’re seeing what they need to see but…)

- 40 percent of those surveyed do not report the performance of their virtualized applications, hardware, operating systems, or their virtual machines in any measureable way (which rather undercuts the whole point)

Get the full results here.

Web Services and XML Security Training at OWASP

Thu, 28 Aug 2008 04:55:59 +0000

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM. Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas. This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with."
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST"
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation"
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

Diebold Finally Admits its Voting Machines Drop Votes

Thu, 28 Aug 2008 02:38:35 +0000

Premier Election Solutions, formerly called Diebold Election Systems, has finally admitted that a ten-year-old error has caused votes to be dropped.

It's unclear if this error is random or systemic. If it's random -- a small percentage of all votes are dropped -- then it is highly unlikely that this affected the outcome of any election. If it's systemic -- a small percentage of votes for a particular candidate are dropped -- then it is much more problematic.

Ohio is trying to sue:

Ohio Secretary of State Jennifer Brunner is seeking to recover millions of dollars her state spent on the touch-screen machines and is urging the state legislature to require optical scanners statewide instead.
In a lawsuit, Brunner charged on Aug. 6 that touch-screen machines made by the former Diebold Election Systems and bought by 11 Ohio counties "produce computer stoppages" or delays and are vulnerable to "hacking, tampering and other attacks." In all, 44 Ohio counties spent $83 million in 2006 on Diebold's touch screens.

In other news, election officials sometimes take voting machines home for the night.

My 2004 essay: "Why Election Technology is Hard."

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 16:53:17 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.