____ is a session data probe collector and analysis tool

******ebook converter DEMO Watermarks*******

******ebook converter DEMO Watermarks*******

The Tao of Network Security Monitoring

Beyond Intrusion Detection

Richard Bejtlich

Boston • San Francisco • New York • Toronto • Montreal London • Munich • Paris • Madrid

Capetown • Sydney • Tokyo • Singapore • Mexico City

******ebook converter DEMO Watermarks*******

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. This is a book about network monitoring. The act of collecting traffic may violate local, state, and national laws if done inappropriately. The tools and techniques explained in this book should be tested in a laboratory environment, separate from production networks. None of the tools or techniques should be tested with network devices outside of your responsibility or authority. Suggestions on network monitoring in this book shall not be construed as legal advice. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales. For more information, please contact: U.S. Corporate and Government Sales

(800) 382-3419 corpsales@pearsontechgroup.com

For sales outside of the U.S., please contact: International Sales

(317) 581-3793 international@pearsontechgroup.com

Visit Addison-Wesley on the Web: www.awprofessional.com Library of Congress Cataloging-in-Publication Data Bejtlich, Richard. The Tao of network security monitoring : beyond intrusion detection / Richard Bejtlich. p. cm. ISBN 0-321-24677-2 (pbk.)

******ebook converter DEMO Watermarks*******

mailto:corpsales@pearsontechgroup.com

mailto:international@pearsontechgroup.com

http://www.awprofessional.com

1. Computer networks—Security measures. I. Title.

TK5105.59.B44 2004 005.8-dc 22 2004007857 Copyright © 2005 by Pearson Education, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. For information on obtaining permission for use of material from this work, please submit a written request to: Pearson Education, Inc.

Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047

ISBN 0-321-24677-2 Text printed in the United States on recycled paper at Courier Stoughton in Stoughton, Massachusetts. 10th Printing March 2010

******ebook converter DEMO Watermarks*******

TO MY WIFE, AMY: LOVE IS CERTAIN, LOVE IS KIND. IT ISN'T SOMETHING THAT WE FIND. IT'S

SOMETHING THAT WE DO.

******ebook converter DEMO Watermarks*******

Contents

Foreword Preface About the Author About the Contributors Part I. Introduction to Network Security Monitoring Chapter 1. The Security Process What Is Security? What Is Risk? Threat Vulnerability Asset Value A Case Study on Risk Security Principles: Characteristics of the Intruder Some Intruders Are Smarter Than You Many Intruders Are Unpredictable Prevention Eventually Fails Security Principles: Phases of Compromise Reconnaissance Exploitation Reinforcement Consolidation Pillage

******ebook converter DEMO Watermarks*******

Security Principles: Defensible Networks Defensible Networks Can Be Watched Defensible Networks Limit an Intruder's Freedom to Maneuver Defensible Networks Offer a Minimum Number of Services Defensible Networks Can Be Kept Current Conclusion Chapter 2. What Is Network Security Monitoring? Indications and Warnings Collection, Analysis, and Escalation Detecting and Responding to Intrusions Why Do IDS Deployments Often Fail? Outsiders versus Insiders: What Is NSM's Focus? Security Principles: Detection Intruders Who Can Communicate with Victims Can Be Detected Detection through Sampling Is Better Than No Detection Detection through Traffic Analysis Is Better Than No Detection Security Principles: Limitations Collecting Everything Is Ideal but Problematic Real Time Isn't Always the Best Time Extra Work Has a Cost What NSM Is Not NSM Is Not Device Management NSM Is Not Security Event Management NSM Is Not Network-Based Forensics NSM Is Not Intrusion Prevention NSM in Action ******ebook converter DEMO Watermarks*******

Conclusion Chapter 3. Deployment Considerations Threat Models and Monitoring Zones The Perimeter The Demilitarized Zone The Wireless Zone The Intranet Accessing Traffic in Each Zone Hubs SPAN Ports Taps Inline Devices Wireless Monitoring Sensor Architecture Hardware Operating System Sensor Management Console Access In-Band Remote Access Out-of-Band Remote Access Conclusion Part II. Network Security Monitoring Products Chapter 4. The Reference Intrusion Model The Scenario The Attack ******ebook converter DEMO Watermarks*******

Conclusion Chapter 5. Full Content Data A Note on Software Libpcap Tcpdump Basic Usage of Tcpdump Using Tcpdump to Store Full Content Data Using Tcpdump to Read Stored Full Content Data Timestamps in Stored Full Content Data Increased Detail in Tcpdump Full Content Data Tcpdump and Berkeley Packet Filters Tethereal Basic Usage of Tethereal Using Tethereal to Store Full Content Data Using Tethereal to Read Stored Full Content Data Getting More Information from Tethereal Snort as Packet Logger Basic Usage of Snort as Packet Logger Using Snort to Store Full Content Data Using Snort to Read Stored Full Content Data Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort Ethereal Basic Usage of Ethereal Using Ethereal to Read Stored Full Content Data Using Ethereal to Rebuild Sessions Other Ethereal Features

******ebook converter DEMO Watermarks*******

A Note on Commercial Full Content Collection Options Conclusion Chapter 6. Additional Data Analysis Editcap and Mergecap Tcpslice Tcpreplay Tcpflow Ngrep IPsumdump Etherape Netdude Using Netdude What Do Raw Trace Files Look Like? P0f Conclusion Chapter 7. Session Data Forms of Session Data Cisco's NetFlow Fprobe Ng_netflow Flow-tools Flow-capture Flow-cat and Flow-print sFlow and sFlow Toolkit Argus ******ebook converter DEMO Watermarks*******

Argus Server Ra Client Tcptrace Conclusion Chapter 8. Statistical Data What Is Statistical Data? Cisco Accounting Ipcad Ifstat Bmon Trafshow Ttt Tcpdstat MRTG Ntop Conclusion Chapter 9. Alert Data: Bro and Prelude Bro Installing Bro and BRA Interpreting Bro Output Files Bro Capabilities and Limitations Prelude Installing Prelude Interpreting Prelude Output Files Installing PIWI Using PIWI to View Prelude Events ******ebook converter DEMO Watermarks*******

Prelude Capabilities and Limitations Conclusion Chapter 10. Alert Data: NSM Using Sguil Why Sguil? So What Is Sguil? The Basic Sguil Interface Sguil's Answer to “Now What?” Making Decisions with Sguil Sguil versus the Reference Intrusion Model SHELLCODE x86 NOOP and Related Alerts FTP SITE Overflow Attempt Alerts SCAN nmap TCP Alerts MISC MS Terminal Server Request Alerts Conclusion Part III. Network Security Monitoring Processes Chapter 11. Best Practices Assessment Defined Security Policy Protection Access Control Traffic Scrubbing Proxies Detection Collection Identification ******ebook converter DEMO Watermarks*******

Validation Escalation Response Short-Term Incident Containment Emergency Network Security Monitoring Back to Assessment Analyst Feedback Conclusion Chapter 12. Case Studies for Managers Introduction to Hawke Helicopter Supplies Case Study 1: Emergency Network Security Monitoring Detection of Odd Orders System Administrators Respond Picking Up the Bat Phone Conducting Incident Response Incident Response Results Case Study 2: Evaluating Managed Security Monitoring Providers HHS Requirements for NSM HHS Vendor Questionnaire Asset Prioritization Case Study 3: Deploying an In-House NSM Solution Partner and Sales Offices HHS Demilitarized Zone Wireless Network Internal Network “But Who Shall Watch the Watchers?”

******ebook converter DEMO Watermarks*******

Other Staffing Issues Conclusion Part IV. Network Security Monitoring People Chapter 13. Analyst Training Program Weapons and Tactics Definition Tasks References Telecommunications Definition Tasks References System Administration Definition Tasks References Scripting and Programming Definition Tasks References Management and Policy Definition Tasks References Training in Action Periodicals and Web Sites ******ebook converter DEMO Watermarks*******

Case Study: Staying Current with Tools Conclusion Chapter 14. Discovering DNS Normal Port 53 Traffic Normal Port 53 UDP Traffic Normal Port 53 TCP Traffic Suspicious Port 53 Traffic Suspicious Port 53 UDP Traffic Suspicious Port 53 TCP Traffic Malicious Port 53 Traffic Malicious Port 53 UDP Traffic Malicious Port 53 TCP and UDP Traffic Conclusion Chapter 15. Harnessing the Power of Session Data The Session Scenario Session Data from the Wireless Segment Session Data from the DMZ Segment Session Data from the VLANs Session Data from the External Segment Conclusion Chapter 16. Packet Monkey Heaven Truncated TCP Options SCAN FIN Chained Covert Channels Conclusion ******ebook converter DEMO Watermarks*******

Part V. The Intruder versus Network Security Monitoring Chapter 17. Tools for Attacking Network Security Monitoring Packit IP Sorcery Fragroute LFT Xprobe2 Cisco IOS Denial of Service Solaris Sadmin Exploitation Attempt Microsoft RPC Exploitation Conclusion Chapter 18. Tactics for Attacking Network Security Monitoring Promote Anonymity Attack from a Stepping-Stone Attack by Using a Spoofed Source Address Attack from a Netblock You Don't Own Attack from a Trusted Host Attack from a Familiar Netblock Attack the Client, Not the Server Use Public Intermediaries Evade Detection Time Attacks Properly Distribute Attacks Throughout Internet Space Employ Encryption Appear Normal Degrade or Deny Collection ******ebook converter DEMO Watermarks*******

Deploy Decoys Consider Volume Attacks Attack the Sensor Separate Analysts from Their Consoles Self-Inflicted Problems in NSM Conclusion Epilogue. The Future of Network Security Monitoring Remote Packet Capture and Centralized Analysis Integration of Vulnerability Assessment Products Anomaly Detection NSM Beyond the Gateway Conclusion Part VI. Appendixes Appendix A. Protocol Header Reference Appendix B. Intellectual History of Network Security Monitoring Appendix C. Protocol Anomaly Detection Index

******ebook converter DEMO Watermarks*******

Foreword

We've all heard the phrase “knowledge will set you free.” When it comes to real-world network security, I can think of no other phrase with which security professionals must arm themselves. Whether you are brand new to network intrusion detection, an incident responder, or a long-time network security veteran, you must always boil any situation down to its basic facts. The book you are about to read will arm you with the knowledge you need to defend your network from attackers, both the obvious and the not so obvious. Unlike other computer security books that focus on catching the “hack of the week,” this book will equip you with the skills needed to perform in-depth analysis of new and emerging threats. This book discusses many different approaches to network security. It also describes how to communicate and in some cases justify security monitoring efforts. This is important because many organizations may not readily appreciate the need for monitoring— until it is too late. Frequently I run into security “professionals” who rely on “cookbook” methodologies or their favorite tools. Too often, these people do not have a broad understanding of how networks really work and are not effective in increasing their network's defensive posture or communicating with the network administrators. Although there is no substitute for actual system and network administration experience, by reading this book you will undoubtedly come away knowing more relevant information than when you started. In many large organizations, to gain the respect of the system or network administrators, you need to be able to converse at their level—even if it is way above or below your expertise. The amount of plain talk in this book struck me as amazing. Firewalls can fail! Intrusion detection systems can be bypassed! Network monitors can be overloaded! We don't normally hear these messages from our vendors, nor do we hear it from our security administrators. Neither the vendor nor the administrator would be very successful if they focused on all the things that could go wrong. Unfortunately, this creates many false perceptions in the minds of managers and users. ******ebook converter DEMO Watermarks*******

You will enjoy the many examples in this book that show how a network is compromised and how it could have been prevented with some extra monitoring. Another dirty little secret that many security professionals don't speak much about is that our own tools are sometimes the most insecure portion of a network. You may be quite surprised to find out that the server set up to do sniffing or monitoring may be the gateway into the very network you are defending. You will learn ways to mitigate that threat too. I strongly urge you to try using the tools described throughout this book while you are reading it. All of the tools are available for FreeBSD, Linux, and, in many cases, Windows. Although it may take longer to read the book, learning by using is more effective than skimming the command-line syntax. If you are new to network security, don't put this book back on the shelf! This is a great book for beginners. I wish I had access to it many years ago. If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, “What's next?” If so, this book is for you. Some people have been performing network security monitoring for a very long time, and this book reviews that history. It will expose you to many other forms of monitoring that are not pure intrusion detection. The information about how you can use various tools to enhance your network security monitoring activities is an excellent resource all on its own. I wish you the best of luck monitoring and defending your network! Ron Gula

CTO and Founder of Tenable Network Security Original author of the Dragon Intrusion Detection System

******ebook converter DEMO Watermarks*******

Preface

Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term “will.” Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion—a real compromise, not a simple Web page defacement—you'll realize the security principles and systems outlined here are both necessary and relevant. This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision. Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail.

******ebook converter DEMO Watermarks*******

Audience

This book is for security professionals of all skill levels and inclinations. The primary audience includes network security architects looking for ways to improve their understanding of their network security posture. My goal is to provide tools and techniques to increase visibility and comprehension of network traffic. If you feel let down by your network-based intrusion detection system (NIDS), this book is definitely for you. I explain why most NIDS deployments fail and how you can augment existing NIDS with open source tools. Because this book focuses on open source tools, it is more likely to be accepted in smaller, less bureaucratic organizations that don't mandate the use of commercial software. Furthermore, large organizations with immense bandwidth usage might find some open source tools aren't built to handle outrageous traffic loads. I'm not convinced the majority of Internet-enabled organizations are using connections larger than T-3 lines, however.1 While every tool and technique hasn't been stress-tested on high-bandwidth links, I'm confident the material in this book applies to a great majority of users and networks. If you're a network security analyst, this book is also for you. I wrote this book as an analyst, for other analysts. This means I concentrate on interpreting traffic, not explaining how to install and configure every single tool from source code. For example, many books on “intrusion detection” describe the Transmission Control Protocol/Internet Protocol (TCP/IP) suite and how to set up the Snort open source IDS engine with the Analysis Console for Intrusion Databases (ACID) interface. These books seldom go further because they soon encounter inherent investigative limitations that restrict the usefulness of their tools. Since my analytical techniques do not rely on a single product, I can take network-based analysis to the next level. I also limit discussion of odd packet header features, since real intrusions do not hinge on the presence of a weird TCP flag being set. The tools and techniques in this book concentrate on giving analysts the information they need to assess intrusions and make decisions, not just identify mildly entertaining reconnaissance patterns.

******ebook converter DEMO Watermarks*******

This book strives to not repeat material found elsewhere. You will not read how to install Snort or run Nmap. I suggest you refer to the recommended reading list in the next section if you hunger for that knowledge. I introduce tools and techniques overlooked by most authors, like the material on protocol anomaly detection by Brian Hernacki, and explain how you can use them to your advantage. Technical managers will appreciate sections on best practices, training, and personnel issues. All the technology in the world is worthless if the staff manning it doesn't understand their roles, responsibilities, and escalation procedures. Managers will also develop an intuition for the sorts of information a monitoring process or product should provide. Many vendors sell services and products named with combinations of the terms “network,” “security,” and “monitoring.” This book creates a specific definition for network security monitoring (NSM), built on a historical and operational foundation. Prerequisites

I've tried to avoid duplicating material presented elsewhere, so I hope readers lacking prerequisite knowledge take to heart the following reading suggestions. I highly recommend reading the following three books prior to this one. If you've got the necessary background, consider these titles as references. • Internet Site Security, by Erik Schetina, Ken Green, and Jacob Carlson

(Boston, MA: Addison-Wesley, 2002). This is an excellent “security 101” book. If you need to start from the ground floor, this book is a great beginning.

• Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses, by Ed Skoudis (Upper Saddle River, NJ: Prentice Hall PTR, 2001). Counter Hack offers the best single-chapter introductions to TCP/IP, Microsoft Windows, UNIX, and security issues available.

• Hacking Exposed: Network Security Secrets and Solutions, 4th ed., by Stuart McClure, Joel Scambray, and George Kurtz (New York:

******ebook converter DEMO Watermarks*******

McGraw-Hill, 2003). Hacking Exposed explores the capabilities and intentions of digital threats. By knowing how to compromise computers, you'll understand the sorts of attacks network security monitoring practitioners will encounter.

If you need an introduction to intrusion detection theory, I recommend the following book: • Intrusion Detection, by Rebecca Gurley Bace (Indianapolis, IN: New

Riders, 2000). While not strictly needed to understand the concepts in this book, Intrusion Detection provides the history and mental lineage of IDS technology. As The Tao of Network Security Monitoring focuses on network-based tactics, you can turn to Intrusion Detection for insight on host-based detection or the merits of signature- or anomaly-based IDS.

It helps to have a good understanding of TCP/IP beyond that presented in the aforementioned titles. The following are a few of my favorite books on TCP/IP. • Internet Core Protocols: The Definitive Guide, by Eric A. Hall

(Cambridge, MA: O'Reilly, 2000). Many people consider Richard Stevens' TCP/IP Illustrated Volume 1: The Protocols (Reading, MA: Addison-Wesley, 1994) to be the best explanation of TCP/IP. I think Eric Hall's more recent book is better suited for modern network traffic analysts.

• Network Analysis and Troubleshooting, by J. Scott Haugdahl (Boston, MA: Addison-Wesley, 2000). Troubleshooting books tend to offer the more interesting explanations of protocols in action. Scott Haugdahl works his way up the seven layers of the Open Systems Interconnect (OSI) model, using packet traces and case studies.

• Troubleshooting Campus Networks: Practical Analysis of Cisco and LAN Protocols, by Priscilla Oppenheimer and Joseph Bardwell (Indianapolis, IN: Wiley, 2002). This title is considerably broader in scope than Scott Haugdahl's work, with coverage of virtual local area networks (VLANs), routing protocols, and wide area network (WAN) protocols like Asynchronous Transfer Mode (ATM).

One other book deserves mention, but I request you forgive a small amount ******ebook converter DEMO Watermarks*******

of self-promotion. The Tao of Network Security Monitoring is primarily about detecting incidents through network-based means. In some senses it is also an incident response book. Effective incident response, however, reaches far beyond network-based evidence. To learn more about host-based data, such as file systems and memory dumps, I recommend Real Digital Forensics (Boston, MA: Addison-Wesley, 2005). I wrote the network monitoring sections of the book, and coauthors Keith Jones and Curtis Rose did the host- and memory-level forensics. If you'd like to see the big picture for incident response, read Real Digital Forensics. A Note on Operating Systems

All of the tools I discuss in this book run on the FreeBSD (http://www.freebsd.org) operating system. FreeBSD is a UNIX-like, open source environment well suited for building network security monitoring platforms.2 If you're familiar with Linux or any other Berkeley Software Distribution (OpenBSD or NetBSD), you'll have no trouble with FreeBSD. I strongly recommend running NSM tools on UNIX-like platforms like the BSDs and Linux. You might consider trying a live CD-ROM FreeBSD distribution prior to committing a hard drive to installation. You may already know about Knoppix (http://www.knopper.net/knoppix/index-en.html), the most famous Linux-based live CD-ROM operating system. FreeBSD offers the FreeSBIE distribution (http://www.freesbie.org). FreeSBIE recently shipped version 1.0, based on the FreeBSD 5.2.1 RELEASE edition. Live distributions boot from the CD-ROM and run all programs within memory. They can be configured to write to removable media like USB thumb drives or the hard drive of the host computer. Live distributions are a good way to test hardware compatibility before going through the time and effort to install a new operating system on a system's hard drive. For example, before upgrading a FreeBSD 4.9–based system to version 5.2.1, I booted a FreeBSD 5.2.1–based live distribution and checked whether it saw all of the hardware properly. Figure 1 shows FreeSBIE 1.0 running several programs. Many security tools are included in the distribution, including Nessus, Nmap and NmapFE, Snort, ******ebook converter DEMO Watermarks*******

http://www.freebsd.org

http://www.knopper.net/knoppix/index-en.html

http://www.freesbie.org

and Ethereal. I am investigating building an NSM-minded FreeBSD-based live distribution to run the tools discussed in this book.

Figure 1. FreeSBIE 1.0 running Ethereal, NmapFE, Snort 2.1.0, and The Gimp

If you want to learn about FreeBSD, I suggest these books. • FreeBSD: An Open-Source Operating System for Your Personal

Computer, 2nd ed., by Annelise Anderson (Portola Valley, CA: Bit Tree Press, 2001). Absolute UNIX newbies will find Annelise Anderson's book the gentlest introduction to FreeBSD.

• Absolute BSD: The Ultimate Guide to FreeBSD, by Michael Lucas (San Francisco, CA: No Starch Press, 2002). Michael Lucas has an uncanny ability to answer the questions his readers are bound to ask. Keep in mind that Annelise Anderson's book and Absolute BSD focus on FreeBSD 4.x, so certain details might change with FreeBSD 5.x.

• The Complete Guide to FreeBSD, 4th ed., by Greg Lehey (Cambridge, MA: O'Reilly, 2003). Greg Lehey covers more than just FreeBSD; he

******ebook converter DEMO Watermarks*******

addresses system and network administration issues as well. This is the first book explicitly written with FreeBSD 5.x in mind.

I'm often asked why I use FreeBSD and not OpenBSD. I use FreeBSD because I believe it is the best general-purpose operating system available. It has more applications in its ports tree, a larger development community, and better network and multiprocessor performance. I develop and test all of my applications and techniques on FreeBSD. OpenBSD is more innovative in terms of security, with integrated defensive features like Systrace, the Pf firewall, increased use of privilege separation, and relentless removal of coding flaws. I believe OpenBSD may be a superior platform for building dedicated “security appliances.” Once the application is tested under a general-purpose operating system like FreeBSD, it can be deployed on a security-minded platform like OpenBSD. As the TrustedBSD project (http://www.trustedbsd.org) brings additional security features into the FreeBSD 5.x tree, FreeBSD's security features are competing well with OpenBSD. FreeBSD is beginning to adopt security systems like mandatory access control that are found in commercial operating systems like Trusted Solaris. In reality all three major BSD projects feed security ideas into each other, so competition among the projects is not a huge concern. Linux and Windows users might wonder where I stand on their operating systems. I believe Linux benefits from having a very large development community. Because so many coders run Linux, users are more likely to see patches introduced to improve Tcpdump's performance or implement other features useful to security professionals. I still prefer the BSDs to Linux because Linux is a kernel supplemented by tools selected by various distribution aggregators.3 There is also doubt about which Linux distribution is most likely to be used by the community. Prior to the arrival of Fedora Core, Red Hat Linux was more or less the de facto standard. Debian may be the heir to Red Hat's throne, but that situation remains in flux. This is not the best environment for developing security applications and standards. Windows is an operating system for consumers. It was designed to “make life easy” at the expense of security and operational transparency. The underlying Windows design model has not withstood connectivity to the Internet very

******ebook converter DEMO Watermarks*******

http://www.trustedbsd.org

well. The operating system provides far too many services on single ports. How can one disable port 135 or 139 TCP, for example, without breaking a dozen built-in applications? I believe the supposed ease of use of a Windows system, even if one accepted this feature to be true, is far outweighed by the risk of introducing the operating system in a critical security role. Those adding a security platform to a network should not violate the first rule of the Hippocratic Oath: do no harm. I have far more confidence in the reliability and resiliency of a FreeBSD or other UNIX system compared to a Windows system.