Thursday, March 31, 2011

New blog location

I am putting this blog to rest.  I will be writing about upcoming ideas, research, and industry happenings on my new work blog located here :

Of course you can always find more relaxed, less structed Jonah on twitter at

Look forward to having you all follow me over to my new location, and hopefully you will enjoy my writing and insight.

Monday, March 14, 2011

Off to a new adventure

I am just starting a new position with Gartner as a research director in the IT Operations space :

I am very excited to be making this career change, and I believe I will be able to contribute heavily to the content and direction of the areas that I have a true passion for.

I will be moving my blog to a Gartner blog in the coming month, and writing there instead.  I will post a link to my new blog here once its online.  Please be patient as I move over to the new systems, and get acclimated with my new position.

Saturday, February 26, 2011

Patching and updating for home and corporate

We all are well aware of the Microsoft patches and windows update.  Same goes for those of us who use itunes and iOS devices, we know Apple Software Update.  Some of us may even patch our Adobe products, which we should since they have been the largest attack vector ( for the past 2 years hands down.  This is just at home.... How do you expect the security experts to keep on top of all of these patches in a corporate environment.  The number of patches for Oracle alone is daunting to understand and analyze.

There are ways to do this, you can use some clever software which I will outline below, or you can read ~25 RSS feeds and analyze vendor security bulletins.  I do enjoy doing some of this, but I don't have time to keep on top of all the releases.  Here is some software for home and corporate use to help manage this.

Corporate Patch Management:

  • Microsoft WSUS and SCCM - This is free and a no brainer for patching your desktops in a corporate environment.  If you need tighter control you can implement System Center Configuration Manager (SCCM, formerly SMS) which does a good job.  Microsoft has invested heavily in these products and brought them a lot way from the old SMS days.
  • Shavlik HFnetchk pro - Great product, but the price hasn't fallen as the competition has heated up.  This product does a good job with other products outside of Microsoft, but doesn't support Linux or other *NIX variants.
  • GFI Languard - Cheap tool and does a good job with patching servers or desktops.  Normally I recommend this for servers since it does a good job with general auditing too.  Works well on Linux as well.
  • Lumension Patch Management (formerly Patchlink) - Used this previously, its a mixture of online services and software in house.  Its a good product, and can handle multiple operating systems.  Cost is medium in range.  I haven't used the other components of the suite, but I would be willing to test them out.  When I was using the product it did a great job on Solaris, Linux, and Windows.
  • Manageengine Security Manager Plus - This product was missing some key features in managing the patch lists, but overall it worked well and it was inexpensive.  I love some of the other tools by these guys who also bring us the zoho products.  The product does support Linux as well as Windows.

Wish list : I wish spiceworks would get into this space!

Home Patch Management:

  • Windows Update - Turn it on, and use it at home.  It also manages updates for other Microsoft products if you follow these directions to enable this feature :
  • Secunia PSI - If you are a moderately advanced user this product does a great job managing updates to all of your other system software.  Highly recommend using this product.  I haven't tested the commercial versions of the products, I would be willing to test them if someone from Secunia contacts me.
  • Mozilla Firefox/Thunderbird - These products and plugins do a good job with updating themselves, but when there is a new release, they don't auto update.  This is something that Secunia would handle, for example moving from Firefox 3.5 to 3.6... or soon from 3.6 to 4.0.  The extensions update themselves well on any of the products from Mozilla.
  • Chrome - This product has the smartest best update system of any.  Since the application resides not in program files, but within the users home directory it doesn't have restrictions on what it can do to its own files.  This is both a blessing and curse in the security realm.  The downside is that if there is a security issue it could compromise the browser binary itself, versus something which is installed in a "secured" location such as program files.  The product will notify you, via a small icon that it has downloaded a new version.  When you close the browser and start it again its switched to it.  

Antivirus and Antispyware for the Home and Corporate user

Since endpoint protection is of growing importance in the security industry, you will see some major technical advanced this year.  I expect this to be one of the hot buttons for acquisition as technologies such as whitelisting and more connected heuristics create a more advanced software landscape.

Since I have quite a bit of experiance and I do keep on top of the industry I believe that I should outline some of the tools I recommend in both cases.

One side note, I do not use MacOS so I cannot recommend any software for Macs.  If Apple can apply some of the success they have had with iOS to OSX then I may have to spend more time thinking about them on the PC front.

Corporate AV/Antispyware:

  • Mcafee - Does a good job with a suite, but ePO is still a bloated tool which is hard to manage effectively without creating gaps.
  • Symantec - I don't recommend the products for endpoint protection, in my experience I see too many missed viruses with the product.
  • Trend Micro - Does a good job at a lower price point than the big two in AV
  • GFI Vipre - My personal favorite, this is a cheap easy endpoint antivirus solution which works very well.  There are a few gaps in the product they should shore up in the next 6 months, but overall I would recommend this product in a corporate environment.

I have more I would recommend, but I am not going to cover them.  Products I would like to test for corporate use:  Avast and Microsoft.  If I have time I will try both of them in the next couple weeks.

Personal AV/Antispyware:

  • Microsoft Security Essentials - This is what I would tell my mom to use, it works, and its maintenance free!  Sometimes this is the best option for a typical end user.
  • Avast - This is what I recommend and run.  In version 6.0 they have added a lot of new features and improvements.  
  • AVG - Another very good option, this would probably be my second choice personally
  • Microsoft Defender - Its free and does a decent job preventing spyware
  • Spybot S&D - Free and works great for spyware infections
  • CCleaner - Free, and this is a great overall system cleanup tool.  It will fix spyware issues, registry issues, and other problems.  If you don't run this type of tool every month or so, your windows installation will slow down in a much shorter amount of time.

Tuesday, February 8, 2011

Time to move on, and time to learn

Sorry its been a while since I have posted last.  I decided to move on from my previous position.  I learned at a lot there, but it was getting somewhat slow the last 6 months.  My skills are better used for more complex problems that the IT world is facing.  I have had some pretty interesting discussions and interviews in the last week.  I was hoping to enjoy my unemployment a little bit more.... maybe after my offer is signed.

Some non-technical notes, since I have a diverse set of skills I find my resume geared towards one type of career path and not another.  This limited my opportunities to "get in the door" for some positions I think I would be well suited for.  I have started by making some more detailed and targeted versions of my resume which are geared towards some of the other fields that I have experience in.

I wish there was a better way to manage and express all of your skills without having a 15 page resume, or 4 versions that are mostly the same.  If anyone has comments or ideas please leave them!

If anyone wants to discuss any openings with me, there is a digsby chat here, or you can email me from the blog.

Now for some technology projects and learning: 

Since I have some free time and feel that I have been off my Oracle game for the last 2-3 years I am evaluating and testing several products.  Expect another post later this week on these products:

1.  Oracle 11g and Weblogic (used these, but it was 3-4 years ago)
2.  Oracle Enterprise Manager - Specifically around the VM management parts
3.  Oracle Linux
4.  Oracle VM
5.  Oracle Real User Experience Insight - Never heard of this before, but it looks interesting!

I am looking at these to see where Oracle/Sun have gone the last couple years, and just as a general educational experience for me.

Wednesday, January 19, 2011

Sonicwall 5.8 New Features

I'm very impressed by all the new features that Sonicwall has added to v5.8.  I spoke to Jock Breitwieser and Eric Crutchlow who gave us a nice overview of some of the features.  I wanted to make sure I didn't miss anything as there were quite a few changes.  There are even more NG (Next Generation) Firewall features coming this year in v6.0.  Sonicwall has been a great vendor for us, I am very happy we moved to their platforms.

Here is some of the new features (screenshots) with some explanation above the screen capture.

Before you can turn on the netflow sender (and built in netflow collector) you need to consider the impact this will have on your firewall.  You should keep an eye on your CPU and ensure you aren't running above 50%, or you will probably have CPU contention issues.  You also need to be aware that the memory usage of the netflow database and visualization will reduce your peek connections.  This model is a NSA 3500 ( which previous to netflow could handle 35,000 stateful connections can only handle 49,152 when I have all of the DPI (Deep packet inspection) and Netflow enabled.  This includes gateway antivirus, content filtering, IDS/IPS, and more.  As you can see we don't go over 4000 which makes this a non-issue.  Most firewalls can handle much higher workloads for connections and CPU than people are using.

First you have to turn on flow reporting.  You can turn it on internally and or file it off to another netflow collector : - Solarwinds makes a nice free netflow collector as well.

Once you have netflow turned on you can see the applications below being collected, there are many views, graphs, and other options:

Here is a user list with our AD users and how much traffic, connections, and throughput they are doing.  You will need to setup SSO for this to work (more on that later):
Here is the realtime monitor, this is the default view, which shows the main applications, you can filter by interface or by application and see realtime usage:

Here is a view of just some of the applications I picked : evernote, twitter, wikipedia, google, twitter:

Now for the SSO, you need to setup a small program on a windows host which will get requests from the firewall and lookup the users via active directory in order to correlate the DHCP (we use windows DHCP) address with the username.  Here is the SSO setup screen:

When you click configure next to the "SonicWALL SSO Agent" then you get the following screen where you can setup the agent and view the stats to the agent process:

Sonicwall has also added in application control, which are rules which allow for much more customized actions based on the application detection engine.  Before you can use these rules you need to turn App Control on (below), and then turn it on for a zone.  After that you can control the applications.  I have attached some additional applications below as well:

You can also define you own custom applications as well which can be used in rules :

The Content Filter can use Users/Zones (legacy) or App Rules which are far more flexible.  They can be restricted and bandwidth controlled:

Email addresses and content can also be included in App Rules:

Here are the Action objects (what you want to do if an App Rule is matched).  You can also define your own.  Note that you have options such as Bandwitch Management, Blocking, Ignoring DPI, or enabling a packet capture session (for debugging those difficult to find issues).  

If you have any question please leave a comment or hit me up on twitter or instant messenger.  I hope you found this useful!