Custom WAF vs Barracuda WAF360

 Custom WAF vs Barracuda WAF360

Did a comparison at client's place today, to showcase our Web Application Firewall vs Barracuda WAF 360.

Test setup:  Vulnerability scanner -> Barracuda/Custom WAF -> Metasploitable in VM.


Results? We blew the competition away. In fact, it was so one-sided, I'm starting to wonder whether there was something wrong with the Barracuda or its setup (which was taken from a production site, configuration unchanged...it was configured by Barracuda tech there).

1) Without WAF - 62 issues at 11000 odd requests (we were too impatient for it to reach 100%, looked like it was going to take some time so we settled on the arbitrary figure of 11k header requests)

 With Barracuda WAF360 - 56 issues at 11000 odd requests. Some improvement, but this is allowing a surprisingly large number of items through (!).

Our custom WAF - 4 issues at 100% scan. Actually it was zero, but we had to disable scanner detection (our WAF detects security scans and blocks them) to let Netsparker have a fair go at it. Then again, most script kiddies will use off the shelf software such as Netsparker, so one might argue it's fair to block them all. Denying information gathering is a basic tenet of security hardening.

There are obviously things we can do to improve the results. Firstly, to let the scan run to 100% (doh). Secondly, to use other vulnerability scanners eg Nikto. We had module dependency issue on our test laptop so had to forego a Nikto scan. Thirdly, the num of issues discovered has no bearing on how many high threat issues there are, that can actually be exploited. The free version of Netsparker does not give a full breakdown.

HOWTO: Updating ports and sources using svnup on FreeBSD

If you're used to using cvsup/csup , they're deprecated/End of Life. It's time you moved to subversion which is now the official method of updating from source. However subversion has a long list of dependencies (try a pkg_add -r subversion and see). Now there's a lite version in ports,  svnup:

#pkg_add -r svnup , OR
#cd /usr/ports/net/svnup && make install clean

Syntax is simple too. To update ports tree,

#svnup -h svn.freebsd.org -b ports/head -l /usr/ports

To update to 8-STABLE sources,

#svnup -h svn.freebsd.org -b base/stable/8 -l /usr/src


One note of warning. Svnup does not support subversion's .svn directory. Use one or the other only.

More info: http://www.freshports.org/net/svnup/

Update (6 Jun 2013): Latest version (0.73) does not appear to work with above cmd lines. There is now a .conf file in /usr/local/etc/svnup.conf. Edit that, change protocol from https to svn, uncomment hostname. I get a segfault though.

<snip>

( get-file ( 30:/contrib/libreadline/display.c ( 251374 ) true false ) )
==========
>> Response:
Segmentation fault (core dumped)c/gnu/usr.bin/groff/src/devices/grohtml/Makefile

Probably best to use the full subversion port at this time since svnup seems to be a work in progress.

Update (26 July): Svnup works. To get it working, chg protocol as per above, choose which stable branch you want, then merely run

#svnup stable

Much easier than remembering parameters.

Dlink DIR615 Unifi router - !@#%$

Don't get me started how bad the above is. Actually, I have a lot more adjectives, but let's keep this family friendly.

Today one of my clients reported that their website (being run internally) was down. I logged in via ssh, and verified that it was fine....apache/mysql all up and running as it should. HOWEVER, for some reason port80 traffic was not being forwarded to the webserver, even though ssh was being forwarded just fine.

Solution: Power-toggle the Dlink, and everything is hunky dory again.

At least until the next time...which will be soon until they get a proper firewall which is the only sane thing to do.

Moral of the story: A router which TM probably got for RM60 (or less), from a supplier that was probably squeezed on pricing and which TM saw fit to modify the original firmware to their own specs, is not exactly suitable hardware for your internet costing thousands per year, to forward traffic/protect servers costing thousands more. That does not even take into account the cost of downtime. If you're running anything other than a vanity site, do the right thing and invest in a proper firewall. You don't even need expensive ones. What you need is something that supports VLANs, have an IDS/IPS (Intrusion Detection & Prevention to prevent bad traffic from hitting your servers), Transparent Proxy Filtering (to make sure your staff isn't Facebooking throughout the day). This doesn't need to cost a bomb.

Uncovering a faulty HDD

Helped a dealer troubleshoot one storage box. Apparently smartmontools gave a clean bill of health...WD diagnostics also did not flag it (a rare combo) though there were plenty of vnode_pager_putpages on the console. It took a  make buildworld to actually uncover LBA ABRTs, so that helped in identifying the faulty HDD. Off to RMA. Thanks to ZFS RAID-Z1, no data was lost or corrupted.

Racing simulator. Best tried with racing sims such as Rfactor rather than kiddie stuff like Need for Speed.

Thrustmaster racing steering.

ZFS compression

FreeBSD9 stable has a new option for ZFS transparent compression -  lz4. For most of my builds, I use lzjb, however lz4 appears to have some compelling advantages:

• Approximately 50% faster compression when operating on compressible data.
• Approximately 80% faster on decompression.
• Over three times faster on compression of incompressible data.
• Higher compression ratio (up to 10% on the larger block sizes).
• Performance on modern CPUs often exceeds 500 MB/s on compression and over 1.5 GB/s on decompression and incompressible data (per single CPU core).

(source: http://wiki.illumos.org/display/illumos/LZ4+Compression)

Used equipment for sale

Anyone looking for a used Intel Modular Server? Helping a client dispose of their unit, having finished with their project.

Item 1:

1 Intel MFSYS25 Base Chassis
4 x Compute Modules/Blades (6-core 1x Xeon 5660, 12GB DDR3 ECC )
6 x 300GB SAS HDD
2 x 300GB SSD
Intel Virtualization Manager (creates up to 128 VMs)
4 x Windows Server 2008 R2
2 years warranty remaining.

All for RM40k. Makes an excellent virtualization platform for hosting without incurring the cost of VMWare. Virtualization supports Win/Linux/FreeBSD.

More info about the Intel Modular Server

Item 2:
Barracuda Web Application Firewall 360. Datasheet (PDF). Going for RM25K (neg).


If you're interested, email me: infoREMOVETHIS@tjtech.my

Fun with blades

Was assisting a client with their blade servers today. Apparently their blade server  decided booting from LUN0 (HDD) from the integrated SAN storage was less preferred than PXE, so it was hanging at the Network Boot Agent prompt. Some reordering in BIOS, and all is fine again. They also had an issue with being unable to add a hotspare drive to the pool, which required a full shutdown of the blade.

Apa khabar, dunia!

Last time I had a blog, it was still in the 90s, where the word blog wasn't even invented. We had ICQ. Hotmail (pre-Microsoft takeover). Google was about to be launched. The internet was a booming township of settlers, and we were in awe, coming in from the era of BBSes.

Much time has passed. Facebook. The rise of Apple, the decline of Microsoft. The consolidations within the tech industry, where from many, there are now far fewer but larger entities...giants with financial clout and marketing funds. But are their products actually better  (insert metrics: support, openness, cost, reliability, performance), or is it an illusion? Big player=better product does not translate. And into this space, I nail down my stake. To be continued.