Poor Packet Pete, he has fallen behind the times. His glory days where around 1998 when all security issues could be solved on the network. Pete lives in the land of firewalls, router ACLs, IDS systems and VLANs. Since everything is just a packet on the network Pete thinks he can secure and control the entire infrastructure by controlling and monitoring packets. We of course know that this is not true. Can’t do much in the firewall when the rule is “ALLOW port 80 form anywhere to webserver” then if you get this rule “Allow port 443 from anywhere to webserver” 99% of the time my IDS/IPS is now blind. I have an all time favorite packet pete storiy.
I coulda made millions on the IIS double decode flaw
Well not really but man I loved that vulnerability. Too bad someone had to write a worm and force people to clean it up. I was doing a lot of pen test during this time for a consulting company. 9/10 times if there was an IIS server it was vuln to this. I had written a script that was basically nmap + awk + xargs + tftp + netcat and could own every IIS server on a netblock in like 5 minutes. It totally owned on internal networks but I digress. So we are in a kickoff meeting with a new customer, a large medical malpractice insurer, and there security guy is a total Packet Pete. This was an external test only and this guy lays this network diagram in front of me:
Then proceeds to tell me how it is impossible to get access to the database with the patient records from the outside cause of all the firewalls and ACLs he has. He ponders out loud “Why are we even bothering with this, the network is clearly secure.”. See we where working through audit, not the security team, so they where a little miffed. I asked if I could hold on to the diagram and got a “This is a secure document and can’t leave the building!” response. Whatever dude, like there are not 1,000,000 network diagrams like that. We start the next day and 5 seconds in I have a remote shell on the IIS server. I start poking around and find that someone had let the command line oracle tools installed. Bingo! A little poking around in the web root and I find a user account. Now I am in to the DB server that feeds data to the web server. Some decent stuff here but nothing too exciting. I then notice that the internal “real cool stuff is here” DB is linked to this DB! Score! Within minutes I am dumping out confidential medical malpractice data. The HIPPA fine’o'meter is pegged. 45 minutes in and I have the treasure. I call up the audit guy tell them we are done (Thank god it was a fixed cost deal!)
Another thing Packet Pete’s seem to have is a default deny rule. Need to open a port for a business partner? No! Need to setup a VPN for your remote development team. No! No! Maybe and SSL VPN for sales? No! No! No!
Professional Conclusion: Careful you don’t get sucked into his myopic vortex, he will stunt your career. If you need to knw about packets and ACLs this is your guy but don’t model your career on him.
Vendor Conclusion: Got something to help him enforce draconian network traffic rules? Sold! Try to sell him on application security and expect lots of drooling and babbling about the application security module in his firewall.
If you enjoyed this post, make sure you subscribe to my RSS feed!
