Setup

My plan was to use pfSense on my home network. I have an existing PC with two network adapters that is running VMServer. The plan was simple, replace my Netgear firewall with pfSense. Here is how I set up the network. For those of you not familiar with the underlying operating system of pfSense(BSD), le0 and le1, are the designations for the network adapters. On the Linux side they are known as eth0 and eth1. Under VMServer they are known as Ethernet 1 and Ethernet 2.

1. le0 is connected to Ethernet 1. VMServer calls this network /dev/vmnet0 and it is bridged to motherboard network adapter(eth0). This will be my LAN network. It uses a private network address(e.g. 192.168.x.x) and will be a DHCP server for this network in the final configuration. Until I finished setup and testing, DHCP was turned off.
2. le1 is connected to Ethernet 2. VMServer calls this network /dev/vmnet2 and it is bridged to a network adapter card(eth1) I installed. This will be my WAN network. In my case I will be using the static IP address assigned to me by my ISP in pfSense. One of my problems was that I was not sure what IP address to use for the VMServer side. In my testing I concluded that VMServer provides a “true” bridged network. I decided to use a private network address(192.168.x.x) on a different sub-network for eth1. I am pretty sure that this address is inaccessible from the outside world but I am going to lock it down anyway.

Before I started configuring pfSense I printed a copy of my Netgear configuration. While I was at it, I did a copy and paste routine to create a Netgear configuration document for my records. This document might save you a lot of time some day when your network has a really major problem. Once I had settled on a configuration the installation and configuration of pfSense was pretty easy.

1. I moved my WAN cable from the Netgear firewall to the WAN network adapter on my VMServer PC and booted pfSense. During my initial pfSense setup, I used my static IP address for the WAN adapter and an unused static IP address in my existing network for the LAN adapter.
2. Next I logged into the pfSense console via a web browser and confirmed that the LAN and WAN were working properly. Using my Netgear configuration document I completed setting up pfSense(i.e. port forwarding).
3. At this point the firewall is fully functioning but no one is using it. So I logged into my Netgear firewall and turned off the DHCP server. I went back to the pfSense console and turned on its DHCP server. The pfSense firewall is now ready and able to accept new connections. It has new network addresses for the gateway and the DNS servers but my computers will not connect to the Internet until they start using these new addresses.
4. To configure the computers that use DHCP for their network configuration, I went to each PC and forced them to renew the IP information. There are several ways to do this including rebooting. I used: ipconfig /renew
5. To configure the computers that use static IP addresses, I manually re-configured the gateway and DNS server addresses on the network adapter.

Performance

The network performance of pfSense was about what I expected. My WAN is the bottleneck so I was pretty sure I would not see a difference. An area of concern was the CPU requirements. I am running Groundwork Open Source in the other virtual machine and GW by itself wanted a more powerful computer than the  2.5 MHz CPU and 1 GB of memory I provided. I was pleasantly surprised to find that the RRD graphs were displayed quickly. This confirmed my suspicion that pfSense has pretty small hardware requirements and that my minimal system was adequate.

Security Philosophy

I have been running the firewall for about a week now and it has been stable and problem free. In today’s world a port blocking firewall like pfSense addresses a fairly limited scope of network threats.   Even though I have a fairly comprehensive security plan that includes robustness and redundancy, it is merely adequate at keeping pace with today’s rapidly evolving threats.  For me the greatest advantage of a firewall like pfSense is its ability to monitor the traffic and probe your defenses via IDS.

April’s meeting will feature the premiere of Fortify’s movie, The New Face of Cybercrime, followed by a reception and round table discussion.

• Source Code Reviews and Open Source Static Analysis Tools
• An Introduction to Web Proxies

The first presenter was Allison Shubert and she talked primarily about making the business case for increased usage of Static Analysis tools. It was a nice presentation and she reiterated a lot of truisms but I still think it is a chicken and egg problem. Management will go along with source code reviews and static analysis after you show the success on an existing project. She recommended googling for static analysis tools for your favorite language. After the meeting I checked out the tools for PHP and most of it was somewhere between alpha and beta. The best looking tool of the bunch was PHP-SAT.org. Its prerequisites are pretty ornery so I will need to do some planning if I ever find the time to play with it. It looks like the commercial folks dominate the static analysis sector for the Microsoft languages. I did not find that many open source static analysis options.

The second presenter was Blaine Wilson and he talked primarily about the OWASP tool called WebScarab. He talked mainly about using it to test web applications. I thought he was going talk about a Web Proxy. I saw a slick protocol analyzer with a lot of potential. Testing web application security is cool. You can get the same information with Wireshark or Netmon but this tool is much nicer and it looks like it is pretty good tool for testing web application security.

I was a little too shy to ask Blaine questions about WebScarab since my thoughts had gone immediately to creating test cases and a test framework. Basically I was thinking of ways to automate everything Blaine did by hand and generate a “Unit test like” output. Today I went to OWASP and reviewed the list they are requesting proposals for. Here are two of projects that caught my attention.

P008 – OWASP Security Test Automation

• Project description: Create a tool that generates, records, and plays back security test cases (think JUnit) to enable regression testing for security. This could be based on WebScarab, Selenium, HTTPUnit or something else. But it would create test cases that are custom for a particular application, not a generic scanner.

P009 – OWASP Security Unit Test Framework

• Project description: Create a wizard that will generate security-specific JUnit test cases for all the security controls in your security library. The tool should ask questions about security methods and generate appropriate test cases.

The Security Test Automation project is right up my alley except for the minor problem that I do not know what I am doing. I guess I will play around with WebScarab and see if I can get an old dog to do new tricks. I met Andy Erickson at the meeting. I would describe Andy as the IT evangelist for the Cincinnati area. He has a blog and it is worth reading. Maybe I will ask him for advice.

Session Topics:

• Source Code Reviews and Open Source Static Analysis Tools
• An Introduction to Web Proxies

The meeting starts at 6:30 PM and for more info go to the OWASP – Cincinnati chapter site:

http/www.owasp.org/index.php/Cincinnati

Microsoft Corp. today announced the public availability of Microsoft Office Live Workspace beta (http://workspace.officelive.com), the new Web-based extension of Microsoft Office that lets people access their documents online and share their work with others. Office Live Workspace was among the first entries in the new wave of online services in Microsoft’s software plus services vision previewed last fall.

Recently Microsoft launched Windows Server 2008. Windows Server 20008 is an upgrade to the traditional business workhorse, Server 2003. The Office Live and the Server 2008 products address the office environment with different technologies. What is a small business supposed to do? When you add in the security implications from various regulations and privacy issues that exists outside of the security requirements, the analysis can be a daunting task. To make this a little easier let me take you on a tour and review the tradeoffs between remote access and security.

Remote Access Viewpoint

I use the remote access viewpoint as an extension of the access and usability viewpoints. The traditional file server is easy to use and control and it has great response time. For a one location business it is relatively easy to troubleshoot problems on. For a simple business environment a file server has an attractive cost to benefit relationship. The problems occur when a small business tries to adapt this environment to accommodate remote access. Productivity can improve if an employee can access data and applications when they are on the road, at a branch office, or at home. Although it is not readily apparent the business has undertaken a step change to a more complex environment. What is apparent is that the problems multiple quickly and it is much harder environment to troubleshoot. By definition a business environment with remote access is less secure than a business environment without remote access.

Security

If you are subject to one of the various security and privacy regulations(e.g. PCI, HIPAA, etc.) you can have some real control issues to consider when you add remote access. The recommended polices concerning network access and protection of sensitive information have existed for a long time. In the past a small business could chose ignore these policies since the risks to small businesses were small. In today’s environment the risks are large for both large and small businesses. The security and privacy regulations exist to encourage businesses to recognize and respond to the threats in a proactive manner.

Software as a Service

Over the last decade several firms have offered products that offer software as a service. This offers a business the opportunity to move some of its information technology tasks outside of its office. The most successful example is probably Saleforce.com. They offer a sophisticated customer relationship management program via the web. This can be a cost effective way to add CRM to a company. By using a web application the company can avoid buying additional servers, adding support staff, and reduces licensing issues. As the final mile of Internet access gets faster and faster and Internet coverage becomes more pervasive, software as a service becomes increasingly practical as a information technology option.

The Information Technology Portfolio for a Small Business

I believe the best way to view strategic information technology concerns for a small business is as a portfolio. Windows Server 2008, Office Live, and the other software as a service vendors are frequently complimentary features. It would be difficult to move all of the business processes for most small businesses to the Internet. Not only does the web fail to offer web alternatives to many line of business applications but there are serious security concerns. There could be a real business risk on these new Internet applications. So here are my recommendatons:

• Windows 2008 and all of its competitors continue to be the most cost effective provider in a lot of traditional areas. Windows 2008 has made some welcome improvements in the remote access area via terminal services and remote applications.
• Office Live is a very attractive competitor to Google Docs. These applications appear to be excellent choices for offsite team collaboration or with customers. There are security concerns so these applications should only be used for data that is not subject to legal regulations. Although both services provide security, Office Live, appears to have a more “private” view of the data they are hosting. Amy Babinchak has a nice chart comparing the privacy aspects with two services. I think a lot of people will be more comfortable and familiar with Office Live rather than Google Docs.
• I think there will be a lot of growth with hosted applications. Firms like Salesforce.com will continue to have a robust and growing market. For a lot of small firms with a heavy dependence on email, hosted Exchange services could be a cost effective option. This is good news for the small firms and bad news for the folks selling Microsoft’s Small Business Server.

Every business has secrets that it would prefer to shield from both the public and from rank-and-file employees. These private documents can include marketing strategies, production processes, product formulas, and even the home phone numbers and addresses of company officers.

One of the common uses of disk encryption is to protect this confidential information. For people who have confidential information on their laptops the use of disk encryption is highly recommended if not mandatory. Recently a group at Princeton University published a paper called Lest We Remember: Cold Boot Attacks on Encryption Keys which presented a suite of attacks that exploit DRAM remanence effects to recover cryptographic keys held in memory. In the video and paper they show how easy it is to break into laptops under the “right” circumstances. Since I am a fan of TrueCrypt and to a lesser degree BitLocker this presents quite a conundrum. Can we continue to use and recommend these disk encryption programs? The answer is yes but there are some configuration settings you may want review to be safe.

1. The default setup for TrueCrypt does not cache passwords. A quick way to detect cached passwords is if the Wipe Cache button is grayed out. If you cache passwords you should probably check the box to wipe the passwords on exit or auto-dismount.
2. I auto-dismount the encrypted drives when I log off or enter a power saving mode. For additional security in a large office environment you may want to auto-dismount when the computer enters a screen saving mode or if data has not been written to it for some period of time.
3. I power off my laptop when I travel. This eliminates the primary exploit path in the Princeton method.

There are a variety of reasons why an organization should redesign their web site. Technology is changing continuously and the site that looked smart and fresh last year looks dull and lifeless this year. This web site was originally constructed using an open source CMS called phpwebsite. This was a nice choice a couple of years ago for a magazine style web site but WordPress has caught up and passed it on the technological front. There are many low cost or free CMS systems out there but I think WordPress is leading the pack. Here are some of the reasons that led me to convert this web site to WordPress.

1. WordPress is an open source blog but it is versatile enough to look good using a newspaper/magazine format.
2. WordPress has probably thousands of attractive, standards based templates to choose from. Check out the themes available at themes.wordpress.net. Someone has probably already created a design that you consider attractive. With a minor amount of tweaking you are ready to show off a new look.
3. The WordPress plugin system makes it easy and relatively painless to add new functionality to a web site. Redirecting your feeds to use Feedburner, updating the Google sitemap for your site, or even updating WordPress itself is easy when you use existing plugins. Browse the plugins at wordpress.org/extend/ for some ideas.
4. The WordPress Widget system allows you to change the look of the main page with out changing the template code.
5. WordPress is easy to update. There are several ways to update WordPress but I especially like the convenience provided with the WordPress Automatic Upgrade plugin. This is the five minute upgrade.
6. It was faster for me to convert my site over to WordPress than it was to upgrade to the latest version of phpwebsite!

Picking a theme

For several months I have been looking at themes I could use for my web site. Many of my theme ideas came from Smashing Magazine who regularly review and recommend WordPress themes. It was in the post Premium WordPress Themes: Are They Here To Stay? that I found the theme that I decided on, Mimbo. The Smashing Magazine article primarily talked about premium themes but I thought the free version was probably adequate for my needs. So I downloaded the theme and installed it on my development server. After playing with it for a day I decided it would work. The color scheme and the fonts look okay but I wanted to tweak a few things.

Tweaks

My first tweak was to modify the header. I like to use photos in the headers so I had to rearrange some items to make everything work.

My second tweak was to split the existing sidebar into widgets. I used a modified version of the execphp plugin four times to recreate the sidebar. The existing execphp plugin did not work correctly until I removed an unnecessary div statement it wrote.

My third tweak was to modify the main index template so that the Lead Story and Features would not appear a second time in the middle column which shows the regular subject areas. This tweak was remarkably simple although the WordPress documentation lead me to believe it would not work. Being an old programmer I tried what I thought was reasonable way for the query to work and it worked. I am expecting that almost all of my articles will fall into one of the subject categories shown in this column. When I write a Lead Story or Features article I want to assign it to the subject category, too.

My final tweak was to change the graphics to use 128×128 icons for the lead story and 64×64 icons for the middle column articles. I found some free aero icons that help make a geeky site look a little less drab.