FRAMINGHAM (04/10/2000) - Week 5: Pat suffers his first e-mail virus and learns that sometimes the student knows more than the teacherThe day before my Check Point Software Technologies Ltd. FireWall-1 class, I thought it was going to be pretty boring. That is, until I got a strange e-mail from my boss's boss, Mark, the director of network services. It just said "check out these links." Then our webmaster jumped into my office, saying she had also gotten a weird e-mail from Mark. "Oh s!*#&" flashed through my brain, because while the e-mail was addressed only to me, she had received the same.

I brought up Microsoft Corp. Exchange Administrator to check the queues and disconnected the mail transfer agent from the Internet. Disconnecting prevented the e-mail from sending itself out to all of our remote mail sites, which would have been catastrophic both from the hit on network performance and the fact that we would have been proliferating a virus. The queue was full this e-mail, trying to send itself to every address in our company.

As it turned out, a colleague had sent Mark the Visual Basic script for the VBS.Freelink virus. What saved us was that he was running Panda Anti-Virus on Windows 2000, so the attachment wasn't in any of the e-mails he had sent from his mailbox.

This is a limitation in the version of Panda used under Windows 2000 Server.

Needless to say, we had no antivirus software on our Exchange server either. So an e-mail went to the e-mail/server administrator, stating that we needed some by next week. This was our first e-mail virus, and we were lucky this time.

Which brings me to my class.

I have learned the hard way about the instructors who teach classes like this.

The expectation is that the instructor has a thorough real-world understanding and experience of the subject - or at least knows more than I do!

One of the other students was thedirector of security consultants for a big phone company. It is because of this guy - I will call him Sean - that I stayed in the class.

The first day was pretty boring, and considering that we paid $4,000 for the four-day class, I didn't feel it was worth $1,000. We learned the basic graphical user interface of FW-1, but everytime someone asked a question, the instructor's answer was, "We'll get to that" later.

The Magic Stuff

Sean broke out the new laptop he just got, which can boot with either Linux or Windows 98. But the real magic stuff was on Linux. I connected my laptop to his and slurped down everything he had, and the class decided to make a field trip during lunch to get blank CDs. Sean gave us 3GB worth of free software such as utilities, hacker tools and antihacker tools.

Of course, I was up every night of the class till 2 a.m. burning the CDs on my portable burner for the guys. But, hey, these classes are for networking, right?

Day 2 was definitely more interesting. A couple of the guys made a comment about these Nokia Corp. (www.ipsilon.com/ products/index.html) network appliances that run a stripped-down version of the BSD Unix variant and Check Point FW-1. They're cheaper to buy than a new workstation, plus you can set them up at remote locations and administer them remotely.

So on Day 2, we learned more about the management of FW-1 and the basics of the Policy Editor, which lets you edit the policy on the firewall about what you allow and don't allow through the network. We also learned about the Network Address Translation Editor, which lets you edit proxy configurations for translating internal nonaddressable IPs to addressable ones.

I was beginning to not like the instructor very much, and the rest of the class felt the same way. Everytime the instructor didn't know something, he would just say, "Hmmm, yeah. Right." But we learned a lot from Sean. I'm going to try and persuade my boss to let him come and consult for two days on our security policy.

Demo Attack

On Day 3, the natives got restless. After lunch, while the instructor was talking about the Anti-Spoofing and SYNdefender pieces of FW-1, Sean mentioned that he could launch a denial-of-service attack against these very elements of FW-1 running on our firewalls. We watched as Sean spoofed out three addresses, sending out packets to all the firewalls in the class. In about one minute, all the alarms on all the firewalls were going off, signaling a SYN attack. And we sat helpless, not able to even get to the console of the firewalls because the alarm boxes kept popping up. Funny in the classroom, but I'm now going to have to contact Check Point to see what can be done about it.

Since the firewalls were running on NT (Nearly Technology, according to Sean), I felt very comfortable learning the process. On Day 3, I learned how to work virtual private network (VPN), antispoofing and other things that were on my laundry list of items to learn in class. And then on Day 4, we learned probably the most important piece: the SecureRemote client.

This was important because this is how I'm hoping to have all of our remote Exchange sites connect to us. It's becoming more difficult to get static IPs on dial-up connections - both analog and Integrated Services Digital Network, as well as our laptop warriors in the field. With SecureRemote, we can allow them to have Dynamic Host Configuration Protocol-assigned addresses and then connect via VPN through their Internet service providers back to our Network Operations Center.

On my way to the airport, I received a page from the office - the first one all week. Apparently someone has been using our file transfer protocol (FTP) server as his own little OC3 file server! There were 2GB of games on the hard drive, and one of them was a stolen version of id Software Inc.'s Quake 3. I happen to know one of the guys at id Software, so I told him I would e-mail the FTP logs and all the info I have gathered on the group, which is a lot. They were too stupid to hide their tracks. I'd like to work with him on it, since it will involve the authorities and I can maybe learn a little from the experience.

Next week, I will begin my internal investigation, implementing some of the new items I learned in class and hopefully testing a new intrusion detection system, CyberCop from Network Associates Inc.