FRAMINGHAM (04/24/2000) - Week 7: Looking for a batch file to date-stamp firewall logs; still cursing at kludgy vendor Web sitesBeing organized is highly overrated, but it's something that we must learn as security administrators and engineers.
My office still looks like a tsunami hit it, even though I have new furniture and I try to organize my piles of paper and notepads. It bothers me that my boss keeps only one magazine, one notebook, a computer mouse and a keyboard on his desk. He pushes more paper than I do, so I'm trying to figure out how he keeps his office so clean. The lack of cleanliness in my office is starting to bleed over onto my network drives. I'm gathering so much that I don't know how to organize it all.
Last week, we had some misfortune with our lab firewall - a .bat file deleted all the executables in the %system%\fw\bin directory. I rebuilt the firewall and found time to work on the .bat file. I need something in Windows NT to date-stamp the logs to process them daily. If you know how to set an environment to date-stamp a file or how to name the file with the date it's run, e-mail me at email@example.com.
So far I have switched the logs and exported them in comma-delimited format in Microsoft Corp.'s Access to look for hacks or unauthorized usage. Then I stopped the firewall daemon, deleted the old log in the fw\logs directory and restarted the daemon. That clears the log buffer. FW-1 will automatically create new logs.
I set the AT Scheduler in the Windows NT Resource Kit to run this job every night at midnight. After the firewall daemon starts, another .bat file is run to send the exported logs to my internal server via file transfer protocol (FTP) so I can review the logs.
As Bad as Calculus
Tuesday was pretty boring. I tried to load Windows 98 on an old 760ED IBM ThinkPad to begin testing the virtual private network (VPN).
It looks like I'm going to be asked to implement a VPN soon. I'm having a hard time understanding this. The challenge is that you have to authenticate your session. Then you have to decide if you want to encrypt it, then you have to decide if you want to encrypt the authentication and then highly encrypt the session. Note to self: Quickly learn quantum mathematics, calculus and any other difficult math so I can get this all straight!
I went to Check Point Software Technologies Ltd.'s Web site via FTP to get the SecuRemote Client piece.
At Check Point's site, there are about 20 different SecuRemote clients to download and no documentation. Shame on you, Check Point. You should always tell people what you have and what they need to download. Now I have to e-mail my vendor and wait for a reply and e-mail the help line for Check Point's authorized training center just to see who will answer first.
While I am waiting, I plow through the demo book of the FW-1 class I just took.
They had some labs of how to set up the SecuRemote. I went through the worksheet, generated my keys, configured my user account and created two rules in the firewall, one for authentication and the other for the encryption/VPN tunnel.
Later, I finally got an answer about which one to download, so I grabbed it and started the laptop. After installing the client, I connected to a generic dial-up Internet service provider. Then I launched SecuRemote, typed in the name of the firewall and hit Get. It grabbed the correct IP address of our firewall - so far so good. Then I hit the connect button. After a minute or so of watching the RX/TX lights, a window popped up to say the host didn't have the proper license for the VPN. However, I knew we had the VPN+DES+Strong version of FW-1; we had just renewed our license and the company said it was licensed for SecuRemote.
On Wednesday, I had a conference call with Entrust Technologies Inc. in Plano, Texas. The company provides software to create Certificate Authority servers and encrypt e-mails, desktops, laptops, whatever you want. It looks pretty neat, and the company said it integrates wonderfully with Windows 2000. Of course, you have to take what a salesman says with a grain of salt and then consult with either his tech support person or another person you trust. The other problem is that this stuff is deadly expensive - like $30,000 to start just for the software. Let's not forget that we will also need another server/workstation to run this software plus the yearly support and upgrades.
We'll talk later about Entrust.
I Want My Nokia
The best is yet to come: I was able to go to a demonstration of Nokia Corp.'s IP 440, a rack-mounted unit that combines high-performance IP routing with a complete implementation of Check Point's FireWall-1 enterprise security suite.
This is what I really want to buy next. It runs a very slimmed-down version of FreeBSD; I was told that 700KB was the total size of the FreeBSD operating system. The IP 440 can be configured with up to four four-port Ethernet cards and a Channel Service Unit/Data Service Unit if you want to plug a T1 line or frame relay directly into it.
I got to configure it right out of the box. I plugged a serial cable into it, then connected the other end to a laptop and began a Telenet session. After inputting a username and password, I assigned an IP address to the first Ethernet port. Then I connected a crossover cable from my laptop to the first port on the 440. I launched Internet Explorer 5.0 and went to the address I had assigned and found I can configure the rest of the 440 through a browser. It even provides a back-up system and FTP server so that you can back up your configuration and FTP it to another server.
So, if anything were to happen, I would simply reload the operating system and FTP over the backup, do a restore and be back in business.
Back in my office, I met with RSA Security Inc. about the SecureID authentication system for our network team. We should have stronger authentication than simple passwords, given that we hold the keys to the kingdom. More on that next week.