Archive for the ‘ Security ’ Category

firewall and TCP connection

firewall killing idle tcp connections

An application deployed in DMZ is configured to authenticate towards LDAP server located in internal zone.
The initial authentication works fine. A new TCP connection is established through the firewall, and authentication hits the LDAP server. Th TCP connection is kept open by operating system after being established. Operating system will try to keep this TCP connection alive for a given time, typically configured to 7200 seconds (2h). The TCP connection is left open, to reuse it for subsequent requests, avoiding the TCP handshake overhead.

29.10.2009 , 11_23_38
But when doing a new authentication request 31 min after the first one, it fails.
The problem is that the intermediate firewall kills the idle TCP connection after a configured timeout, currently 30 min.
So what are the options to fix this:

  1. generate traffic, to avoid idle tcp connection. A type of proactive monitoring
  2. set firewall timeout to larger than the os-specific keepAlive
  3. set os-specific keepAlive to something less than the firewall timeout
  4. handle killed tcp connections on application layer level

Option 1 is fine because it adds the possibility of proactive monitoring. The downside is that the infrastructure is dependent on some arbitrary traffic generator or monitoring tool.

If the application behaviour can be controlled (through code change or configuration) option 4 is relevant. Very often there is a wide range of applications (both open-source, commercial and proprietary applications) that will experience the same problem of firewalls blocking TCP connections after some idle timeout. So controlling every application could become difficult.

Increasing the firewall timeout as mentioned in option 3 could be a way to go. But firewalls are there for security reasons, so should consider issues like Denial of Service (DoS) attacks, and TCP session hijacking before increasing firewall timeout.

Option 4 is detailed below.

hardening the TCP/IP stack

Microsoft recommends a KeepAliveTime of 300 seconds (5 min) as part of hardening the TCP/IP stack against denial of service attacks. See How to harden the TCP/IP stack against denial of service attacks in Windows Server 2003 , Microsoft Technet and Microsoft Windows Security Resource Kit.

The same kind of information is found in Securing and Optimizing Linux: RedHat Edition -A Hands on Guide. The keepAlive is changed from 7200 to 1800 seconds (30 min).

Operating system recommendations for keepAlive values are thus moved inside the firewall timeout window. The downside of reducing the keepAlive is that there are more keepAlive packets in the network, possibly increasing network congestion.

typical errors

ldap.DirContextHolder – Unsolicited exception thrown for directory context com.sun.jndi.ldap.LdapCtx@
at com.sun.jndi.ldap.LdapClient.processConnectionClosure

ldap.LDAPAuthenticatorStep – Failed to connect to ldap server.
at com.sun.jndi.ldap.Connection.readReply

ldap.DirContextHolder – Created directory context com.sun.jndi.ldap.LdapCtx

Covering Linux, OS X, Solaris and Windows on TCP keepalive configuration
Firewall Session Problems
Preventing disconnection due to network inactivity
How can I change the TCP/IP tuning parameters?
TCP keepalive overview
Using TCP keepalive under Linux

Open Source risks – Java Enterprise rootkits

Open source is ubiquitious. There is literaly no project being run these days that is not using open source to some extent. Llibraries are downloaded and installed as needed.
If you are working on a J2EE project, what if the taglibs-library or spring-library is trojaned. Or what if a black hat developer is given commit access to one of the open source libraries in use. Remember the black hat developer is most likely an employee of Russian Business Network, or some other big business cybercrime network. They do relocate, and rebrand, but profit makers don’t disappear voluntarily.

There was an excellent presentation given by Jeff Williams on Enterprise Java Rootkits at the recent Blackhat USA conference. Should be a mandatory read for every java developer out there.

Malicious developer

The malicious inside developer is not what you should worry about. They already have access to your premises, and your network. So leaving some malicious code in there seems to be a detour for an insider. A cybercrime company would prioritize getting the code in themselves compared to paying off an untrusted inside developer. It is the risk/reward-ratio that makes cybercrime inclined to attack from anywhere, anonymously. Involving an insider would be an uneccessary risk. If the possbilities of remotely inserting malicious code are limited or removed, then getting an insider could become the only feasible option. But it is not there yet.

In a software project the developers consist of internal, outsourced, commercial and open source developers. And the amount of trust you can put on them follows same trajectory. Internals and outsourced you trust, they even have a face attached. The commercial you at least can get to some way or the other, even through court. But what about your open source developers. They do it for free, on their own spare time. How can we make sure they did not put in some moneymaking code in there.

control open source usage

So make sure you only use open source libraries that are widely used, that undergoes proper reviewing, and where upgrades and commit access is well controlled. Be conservative on updates, and the selection of open source libraries you are using. If not you are inviting every black hat developer out there to provide you some software. It is like asking the Mob to take care of your savings.

ongoing security verification

In the code process, the build process and the operational environment there are issues to consider when it comes to security.The amount of libraries and apis deployed in runtime environment is a risk. Is it all needed, and in use? Reflection, classloading, instrumentation are powerful apis that can be easily exploited by a blackhat developer.
Seal your jars, and build the open source libraries as well. And finally, what about the jdk versus jre. and the extensions folder.

Wikipedia – Russian Business Network
Enterprise Java Rootkits – Blackhat presentation

What happened to the Conficker virus?

It has been quiet for months. But is there a comeback to be expected. As the worm is self-updating, and has switched from “phone-home” logic to peer-to-peer logic, it is considered autonomous in many ways.
But the software is still updated, and there is still more than 5 million workstations and servers infected, and all these zombies are just hanging around waiting for instructions.

MikkoHypponen (F-Secure) Conficker presentation at BlackHat conference

MikkoHypponen (F-Secure) Conficker presentation at BlackHat conference

loss of attention

During first quarter of 2009 the peak estimate was roughly 10 million infected machines. Norwegian police got infected, A London hospital got infected, a major norwegian hospital, among others. The cost of the worm, including indirect cost due to loss of productivity etc can not be estimated. Did it take longer to get back the results from the cancer test? Affecting administrative systems is also affecting patient care.
Conficker was all over the place. But it has lost attention. Media has moved on to Twitter/Facebook and other social networking security issues that are more media friendly than a boring botnet that is idle but growing.
And loss of attention is just what they are waiting for. What is the motivation, what are they going to use this botnet for.

The Conficker Working Group has been fighting the Conficker battle since initial infections late november 2008, but they are actually more on the defensive side 8 months later. Rodney Joffe, director of the Conficker Working Group says:”"Even if we lose against Conficker, there are things we’ve learned that will benefit us in the future.”


The resources spent on producing Conficker can be illustrated by the crypto-algorithm used in Conficker-family. They started using MD-6 algorithm in Conficker.B just weeks after first publication of this algorithm, and updated the algorithm in Conficker.C just two weeks after revision for buffer overflow was published. This is slick leading edge worm development.
There have been speculations on whether they have funding from intelligence agency, military, or even a country. Conficker.A employs two checks to avoid infecting systems located within the Ukraine, this code is removed in later versions of the Conficker family. During Conficker.C update there was some code added for a popup to market fake virus software. Most likely a disguise act to make it look like the every day profit worm.
The best-case scenario would be if they are only in it for the money.

Useful tools

F-Secure Easy Clean – Free tool from F-secure to remove Conficker
Windows Malicious Software Tool Scan your system for infections
Make sure you configure Microsoft update to get the latest security patches.


WS-Security and WSM

In a  SOA solution the security requirements will change as more and more business critical information is exposed on the service bus.  The growing complexity as number of providers/consumers increase, will require attention to securing the web services. In this article WS-Security, and Oracle WSM, is introduced as a way of encapsulating the business critical information in a standardized way.

Article: SOA security, WSM and WS-Security


WSM installation

I have created a detailed installation guide on how to install WSM, Oracle Web Services Manager.

The installation guide is starting out installing a separate j2ee server, from the SOA suite install. Then creating a separate OC4J instance to hold the WSM components. This is to separate the administrative component (ascontrol) from the WSM components.
The WSM installation is then done as an advanced install, towards this OC4J instance.
There is also details on how to create a dedicated WSM database instance.

Even if there are already existing j2ee servers running SOA suite components, it is a general advice to separate WSM from the SOA suite.

Article: WSM detailed installation guide

And now you have a WSM to secure your web services.


Oracle Web Services Manager

In a SOA architecture with a set of services originally exposed only to internal network, a new business requirement was to open a set of  services for external Internet access. Rewriting the services for consolidation would be timeconsuming, and changes to the services would also require changes to existing service consumers.

By using Oracle Web Services Manager as a proxy, a declarative security approach was enabled within weeks.

Oracle Web Services Manager consists of four components: gateway, policymanager, control, monitor. A flexible installation setup would be gateway installed in dmz-zone, the remaining components installed in internal zone, together with OWSM database schema. This split enables the gateway to process all incoming requests through a set of policy steps, and reject unauthorized access already in dmz. Oracle licensing and price matrix is negotiable, and one customer actually ended up paying for two OWSM licenses using this distributed setup. But normally this is just a matter of taking advantage of an excellent product for declarative security.

Recommended reading if you are about to spend time on Oracle Web Service Manager, get the book “Oracle Web Services Manager” by Sitaraman Lakshminarayanan

Oracle documentation on the subject is as always volumnious, but unfortunately lacking the useful examples and  perspectives from “real life” projects.

For details on installation, configuration and user guidelines on Oracle Web Services Manager, please send mail to gwrogde(at)