Discussion on:

10 ways to avoid IT security breaches

there are even software packages that can produce reports. What I would like is a cross router platform software program that can compile outbound traffic reports that doesn't cost serveral thousand dollars in licensing.

Been tinkering with one that can grab the router logs on any SMB or consumer router and display it in a graphical terms. So far my tinkering hasn't come up with something that can be used on all models of consumer level routers [and SMB products].

You will become wealthy. That would be something I'd consider extremely useful.

I like Kiwi syslog but ... not all consumer level routers have the syslog capability.

I've tried some code that will allow a lan login and then query the log files the router has. Had intermittent success with Linksys and none for far with Netgear.

That it would be a difficult task, just considering all the variables.

that doesn't work with Kiwi, for years. I'm pretty adamant about telling my clients they need to look for one that works.

Kiwi has saved my butt many times; only recently it helped me find a possible security problem in Brother Corps. CDROM drivers. I think it had perimeter scanning crackware encoded in it; NOT the spooler service it was cloaking itself as.

I had to pay a LOT of money and argue with with my ISP and Brother for about two months before I got down to the bottom of it.

Those outbound alerts are the best indication of undiscovered infection inside my perimeter. A good IDS that works on port 80 can't hurt a bit either.

I've been looking for an application that would work with Win servers and Kiwi looks good. Did you install the snare agent on Win2K3 servers perchance?

I wasn't privy to everything on that contract. I always install syslog as an application and service on my, and my clients LAN.

We had a pretty tight perimeter there, and we used Server 2003. I took my MCSE under W2K, but never used it again. We were rapidly deploying to XP and Server 2003 at the time to ease HIPAA restrictions.

My immediate supervisor was pretty good at hacks like that, though. Wireshark and snort were very popular with the head office.

The problem is customers don't see the benefits of spending $195.00 for it just to capture logs I can read on the router for free.

Part of the problem is that you buy the thing for a single install. I'm working on a low cost NOC type program that grabs the logs for viewing on multiple disparate systems. And not spending a lot of hours to create.

I see a lot of syslog readers for free on CNET; but for multi-systems that would be the bomb!

I deal most with private clients and SMBs; the single users can go the free route, but surprisingly my SMB clients usually buy KIwi after seeing a demo. I'm not a software peddler, I just get a kick out of giving extra service. I hate IT crime with a passion!

I don't like keeping my router consol open; and it wouldn't stay that way anyhow. I'm just paranoid and like to have it running on a monitor so I can take a quick look at traffic, with the other eye cocked toward the IDS intrusion light panel too!

I must have a nose for trouble, because I always happen to be looking at the light panel when trouble starts and I can quickly follow up with syslog observation.

This is for small time of course, big offices would need something like your putting together; with alerts and filtering put in for clarity. Otherwise you'd be overwhelmed, as you already know. The folks at solarwinds are real helpfull in this regard.

I also get a email from CheckPoint once a month from my service with very good analysis, pie charts, IP addresses of top offenders, the works. Makes for very good over all picture of the threatscape.(not FortiGuard)

Is good that way. They are high on my list of firewalls for larger clients as they do cost a bit too much for most SMBs.

Many of them may do better with some dd-WRT solutions I saw on Tom's Hardware - haven't had the time to look into it, however.

I would like to buy a cheaper used Barracuda unit, and play with it for a while. Most serious businesses seem to swear by it. I know I didn't care for Cisco in my experience. I know they trained me, but their equipment really sucks for the money they charge!

I'm also Cisco trained, but if you don't use their equipment daily you lose touch. They need to get up to speed with the others when it comes to GUI.

I buy my routers off the compatibility list specifically because I've yet to find a vendor provided firmware that comes close.

- dhcp issued static IP
- configuration backup
- internal traffic rules like my NAS not being allowed to talk to the public interface

Those are not the only features but those alone trump what usually ships on Linksys anyhow. If the consumer grade hardware is enough for your required task then ddWRT will fill it out with enterprise class functions.

since I was into it; but my foggy mind recollects seeing some links posted by reviewers about analytic emails you could get from some of the FOSS service solutions featured there.

This would be great if true. Beats getting charged $50 bucks a year(or so) to do the same thing.

When you get it to a point where you need beta testers. I'd gladly help if you were so inclined.

You could forward logs to a log server then analyse through that interface. It may not provide exactly what your after though.

That would be a really cool thing as well.

The thread above lists consumer level hardware which may allow dd-WRT. If it won't push directly to an rsyslog then it does have the option to mount a samba share. Not ideal but gets logs onto a remote system. An sshfs into the router or out to a server could also be possible. Logs on the remote server makes it simply a scripting task.

As for allerts, I don't see why a log monitor couldn't be run against the logs when they hit the consolidating server. There is already a program to send the sms out to a pager number.

OpenWRT should be able to do it if dd-WRT can't be used.

Do you know of any monitors that you like?

reading logs is actually emberassingly new to me. I started with ksystemlog which lead quickly to grep (same filtering outcome, no X required, logs not limited to what's default).

Right now I have only a few servers to monitor so my admins Thunderbird pulls the logs safely through pop3s for daily scanning by hand. I'm unwilling to have them push into a central log server until I can be sure of rsyslog through tunneling.

For reporting systems it's the usual suspects:
snort, rkhunter, tiger, tripwire, chkrootkit, psad.

For me, the next step will be more industrial log analysis and alert notices.

The one program that has had an obvious sms or pager alert function is little app that watches your network deamons and performs an action; restart the deamon and send the admin an email. Or, if the lines are uncommented, send to a pager using XYZ application.

I've moved away from using it but I can go back and look; band-aid fix for an old Mandriva based server where my newer machines based on Debian don't present random Apache crashes.

Gah.. there was also something I read past on Linux.com a while back that did log analysis resulting in pretty graphs. The PDF must be in my library so I'll see if I can track that down later.

No rush, we will be here.

You have the con, and I'm glad of it.

In fact, you climb to the crow's nest and operate with a 360-degree view.

Thanks yet again.

Thanks for the reference of security logs.. I always puzzle when reading some of the log.

If you are interested Randy Franklin Smith has e-mail newsletters that will notify you of Web casts about security logs. I watch them all the time and they are very informative.

Kiwi and others have code charts that explain the log features, and pretty soon you get a pretty good picture of what is an actual problem and what is just "background radiation".

Most IT departments have little to no security. They buy a 'firewall' and assume they are protected. The biggest weakness is a rogue computer inside of of the firewall, so monitoring and even limiting outbound traffic is CRITICAL! Outbound traffic can be limited to ports used for internet, email, and IM only. So far most virus' use strange ports so they are easily blocked this way.

The gateway fireall keeps things from getting into the network easily but I like each node inside to do it's own work. My *nix servers all run snort, psad, rkhunter and solid firewall rules. The workstations should be no different, each doing all it can to protect itself.

IT departments afraid to play "what if something gets in" are not nearly as rare as they should be. "We have a perimeter firewall, we're golden" is far too common.

and then half again as many have weak outbound protection to boot.

Windows Firewall provides some protection and does outbound as of SP3 so it'll be a matter of figuring out a good policy to inject into each of the workstations. For now, I just want to be able to drop a rogue box on the network and still not get anything from it easily.

Now, I'll also have to look into a way to manage dynamic IP while mitigating ARP poisoning. Luckily, there doesn't seem to be a pre-generated table attack for Kerb5 PreAuth hashes so strong passwords still mitigate dictionary and brute force.

Stays that way if dictionary or rainbow tables get that good we are in trouble

I've noticed that protection is moving more internal. Actually, security is circling the wagons around the data and letting everything else go wild. It's an interesting concept, but not quite ready for prime time.

It's expensive to get a good third party testing firm in for a visit but the report they hand back after is pretty powerful when talking to decision makers.

As I mentioned in the article, I've been able to promote that a security audit isn't as expensive as the upgrades I suggested and they fall for that. As they think they will have proof that things are OK. Nine times out of ten after the audit they spring for the upgrades as the testing backed up my claims.

made them a believer in the state of their interior network. I emailed it to them and introduced it as a matter of fact state of business, with no criticism or complaint.

I can now brag there is no extraneous back ground radiation! All their efforts of course; but law suits, and that recent FTC action, in the news, may have made them a believer!

My report couldn't have had a bearing on that could it?

Kudos to the ISP as well for listening.

as a critical item?

up the creek restaurant cobbler recipe

all recipes om

almond candy recipe

and spinich recipe

arborio rice recipe

24 cm sponge cake recipe

alton brown good eats recipes

mexican spicy sala recipe

american sponge cake recipe

apple vinegar recipe

I mentioned earlier that Randy has frequent Webcasts about security logs. He has one June 24 titled:

7 Ways to Reduce the Noise in the Windows Security Log

http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=61

That looks like a good one! Maybe my next boss will make these a priority!

I think he will! Thanks Michael!

Hopefully I can just reduce the log events on my home machines, until then!

He makes the recorded Web casts available. I truly think he's the premier expert on MS event logs, especially the security ones. I've learned so much from him.

Great article. Here is another best practice guide for securing private data.

http://www.leapfile.com/files/Resources/Security-And-Data-Privacy-Compliance-Guide.pdf

Join this newly started group to keep up to date on security & privacy policy regulations and also to learn best practices from others.

http://www.linkedin.com/groups?gid=1960734