How Network Forensics Can Help Human Resource Compliance

Something wrong is happening on your network. Call it human nature or simply a few bad apples, but unless your organization is miraculously different from all others, someone is leaking information, someone else is dabbling in porn, and someone else is probably doing a handsome business on eBay—on one of your servers.

Your organization has policies about this—and your industry may have regulations that pertain, as well. You need to ensure these policies are complied with—or you need to collect evidence to take action when they’re not.

When you suspect something is wrong, do you have the means to conduct an investigation? How do you collect evidence—digital evidence—when there are so many channels of communication (email, Web mail, IM, etc.), and so many places to look on your network?

I review these and other issues for a white paper for WildPackets that you can download here.

Enterprise Printer Fleet Monitoring

Keeping track of an entire collection of printers across an enterprise is still more of an art than a science. Various printer fleet-monitoring tools are available from most of the major printer vendors, including HP’s Web JetAdmin, Toshiba’s Encompass and Xerox’s Office Document Assessment. These tools are useful for IT administrators with relatively single-vendor, homogeneous printer populations, but are not very helpful for printer VARs that want to monitor a mixture of vendor products and keep track of the different printer portfolios at multiple clients.

You can download the white paper, which I wrote for Synnex, here.

Controlling network access and endpoints

As more enterprise computing users become mobile, the chances that one of these laptops will become infected when off your enterprise network becomes more likely. And while many corporate IT departments attempt to secure their laptops with anti-virus and personal firewall software, these defenses aren’t enough to keep up with the malicious software attacks that course through the Internet on an hourly basis.

So what can an IT manager do to protect their endpoint PCs? This white paper from the Trusted Computing Group (TCG) will review what options exist, show you what endpoint security does and doesn’t do, and how it fits into your existing network security solutions.

Stopping Rootkits at the Network Edge

Keeping remote users’ laptops healthy is not an easy task these days. Infections are everywhere, and once these PCs leave the shelter of an enterprise network, they can easily get filled with rootkits, trojan horses, spyware, and viruses. Of the many types of infection, rootkits are the most troubling.

In this white paper for the Trusted Computing Group, I explain what rootkits are, how they do their dirty work, and ways that the TCG is working on stopping them using a variety of developer’s tools.

Anatomy of a Web hack, SQL Injection edition

While there are many Web hacking exploits, none are as simple or as potentially destructive as what is known as SQL injection. This isn’t something new, but what is new is how frequent this attack happens, and how easy you can protect your network with relatively little effort and cost.

The problem is that Web developers tend to think that database queries are coming from a trusted source, namely the database server itself. But that isn’t always the case, and a hacker or even a casual browser can often take control over the Web server by entering commands that appear to be valid SQL commands in the right places. The trick is finding the right places.

In a white paper that I wrote for Breach Security, I show you exactly how easy this exploit is. You don’t need any specialized tools other than a Web browser, and you don’t need any specialized skills either. It doesn’t take much time, and the payoffs could be huge: an intruder could easily obtain a copy of your most sensitive data in about the time it takes to read through this analysis.

The paper walks you through what is involved with a SQL injection exploit, using examples of both a Web site that we found at random as well as one that had previously been compromised with the hackers publicly describing their methods in a Russian post on the Net. We will show you the consequences of doing nothing and leaving this front door wide open for anyone to walk into your data center. Finally, we will talk about ways that you can prevent this from happening in the future, and what choices you have to protect your Web sites and corporate networks.

You can download the entire paper here.

Cranite SafeConnect Has A New Twist on VPNs

If you absolutely need total control over your remote users, and need to run the widest possible range of applications, then the Cranite Systems Inc. SafeConnect VPN software should be in your short list of products to consider. I recently did some tests for the company and found that SafeConnect is neither fish nor fowl, and sits squarely between SSL VPN and IPsec products, combining the ease of use of the SSL crowd with end-to-end applications interoperability of IPsec.

I tested the product on a series of laptops and compared how it worked with SSL VPNs from Juniper, Nokia, and other major manufacturers. Overall, the product stood up well in these tests. SafeConnect will prevent eavesdropping over the remote connection no matter where and how your users connect, and it is easily setup in a few hours. It will support a wider range of applications and do so without any additional configuration required. It delivers extremely high file transfer throughput, way beyond any of the SSL VPN products. Finally, it is priced attractively at about a third to a half of what competitive SSL VPN products with equivalent feature sets would cost.

There are several other things the product doesn’t do. It can’t and doesn’t try to compete with the SSL products for unmanaged remote users, since its client must be installed on each remote desktop or laptop. It doesn’t provide the level of client endpoint integrity checking that a Nokia, Juniper or F5 SSL product provides. It also has three major deficiencies: First, it doesn’t prevent users with duplicate credentials from concurrently connecting to the network, and it doesn’t report on these circumstances either. This puts a burden on your IT department to keep track of their client credentials. Second, there is no auditing ability, which we discuss more completely below. Finally, while the product comes with its own LDAP and RADIUS servers, if you do decide to use these pieces you will have to configure them via their separate command line interfaces. Cranite should integrate these into its own graphic configuration screens.

We liked the fact that once you were connected, your remote connection was solid and bullet-proof from man-in-the-middle attacks. We tried to break the connection by sending malformed packets with a bad MAC address – something that would bring down any SSL VPN connection – but SafeConnect kept on going without any problems. About the only way to tear down the connection would be to fill the pipe with a denial of service attack or if we lost the line entirely from our ISP.

You can read my full report on Cranite’s Web site here.

Email Application Servers: Beyond One-to-One Messaging

I did a series of reports back in 1999 for various private clients on email technologies. This was done for Delano and talks about email app servers.

Email application servers will be the tie that binds this new breed of workers. The difference is now email applications are two-way, fully integrated into the corporate consciousness. Those workers who don’t know how to make use of email servers will waste hours or lose information. And those that are content to continue with one-to-one communications will fall behind their competitors.

Let’s review how email application servers are transcending one-to-one messaging. We’ll examine the role played by these new products, how you can harness the power of these servers and some of the issues involved in moving towards these more interesting and advanced uses.