Port80 at TechEd 2007 (with no time to live blog)

Posted: June 13th, 2007
Filed under: IIS & HTTP


Orlando, city of humidity, Disn-o-Universal, and TechEd 2007, the latter being Microsoft’s key yearly show for customers, partners, and learning.

Port80 Software was there in force this year with live IIS7 demos, free site reviews, and IIS and HTTP tips and tricks for all.  It all started on Saturday, June 2, as Port80 forces descended on Orlando by plane and car (we took alternate routes to avoid suspicion).  No time for dinner, just check in and get ready for Sunday, the booth set-up day.  Yes, someone has to put these things together, and you would be surprised how even the best laid booth plans can change when you are on the ground.  Despite a few hiccups and curses, the booth became reality…  All demos were set up, including a ServerMask ip100 dongle, which was placed between the booth’s Internet connection and the booth CPUs.  We wanted to keep the casual probers and any crackers at TechEd from getting in…  plus we hoped to show our logs the next day of all the hacker probes which the ServerMask ip100 had blocked the night before.  It seemed like a good idea at the time.

Ready for Monday AM, Port80 retired to the House of Blues for well-deserved cocktails at 8PM Sunday night with partners Arxceo and PrivacyWare.

9PM: Dinner complete (great seared tuna, per Port80’s Joe Lima).

10PM: More cocktails.

11PM:  Cocktails interrupted.

Chris from Port80 glanced down at his cell phone.  Who could be calling tonight? The show had not even started… It was the main booth organizer from Microsoft for TechEd, and there was an emergency.

“What device did you guys leave in your booth?” she asked.

“Device?” Chris responded, “What do you mean?”

The booth organizer continued: “Well, the folks at SmartCity, who manage the show’s network, started to see the network shut down a few hours ago.  They tracked it down to your booth, and found an odd orange-colored device in there.  When they removed the device from your booth, the network was able to be restored.”

Whoops, Chris thought. The ServerMask ip100.  But that little hacker anti-recon dongle only reacts when it is aggressively probed, and the more aggressive the probe, the more confusing data it generates…  oh, boy.

“That is one of our products,” Chris said.  “It is a security device, should be cool.  I cannot believe it crashed the TechEd network.”

“Well, it did, and it has been confiscated for the time being… you should check back in with security in the morning.”

11:05PM: Cocktails continued.

In the morning, we got this little message in the booth from the TechEd show’s network managers:

It is funny, yes, but the story demonstrates the power of anti-reconnaissance and intrusion prevention (and the interplay between monitoring and security, a fine line to be walked for sure).  Port80 considered any IP outside the booth to be untrusted if there was any form of probing; the SmartCity monitoring at TechEd, designed to keep worms and malware from spreading throughout the show, was designed to aggressively monitor what was happening at every IP/port combination it could “find” at every downstream connection.

The result: the ServerMask ip100 won, until it was physically removed from the booth.  Here is a picture of the little guy:

 

The moral of this tale? Anti-reconnaissance is a very powerful intrusion prevention defense.  And you just never know when even an internal attack could be launched at your network… and if you are monitoring your network and have a ServerMask Security Appliance deployed, use the whitelist for your monitoring IPs to avoid this type of situation…  and ServerMasking rules!

By 11:45AM Monday, the booth was up (minus our ip100 — the device was returned, with the proviso that it would not be used at the show again… bummer on showing those ServerMask logs to folks, right?), and we were open for business.

Port80 Software had a blast at TechEd.  We spoke with many great customers, partners, and even a few competitors.  If you were there, you may have heard a few of these lines from the Port80 folks:

“Low cost and high impact Windows IIS Web tools? Yep, we got ‘em.”

“Getting overcharged and under served by appliance vendors? Talk with us.”

“Need a custom IIS tool?  Yeah, we can help there.”

“http.sys?  Not our department, but we know the guys.”

It was so great to meet people face-to-face, hear what their real-world issues are and see it in their eyes, and offer good, affordable solutions to almost every security and performance issue that they had.  People were also excited about the upcoming remote management and deployment options coming to all Port80 tools later this year, and some even took the time to see the world’s first Web app firewall running on IIS7 and Windows Server 2008, ServerDefender.  This tool will be launched on the Port80 site very soon, but the feedback was excellent!

Thanks to all that stopped by to meet Port80 Software at TechEd 2007 in Orlando this year.  We will announce the winner of the XBOX 360 tomorrow on our blog, and it will be mailed to the lucky winner next week.

If you have a chance to go to TechEd 2008, don’t miss it.  It is a fun trip with real learning opportunities and a chance to see what is here and what is coming to Windows soon.

Cheers,
Port80

7 Comments »

7 Comments on “Port80 at TechEd 2007 (with no time to live blog)”

  • I see stacks of t-shirts on the booth floor. I want one!

    Posted by: JC at 7:50 am on June 14th, 2007
  • Um, a device the brings down networks? Call me crazy, but that doesn’t sound like something I’d want.

    Posted by: Chad at 11:18 am on June 27th, 2007
  • Hey there, Chad,

    If it is a hacker’s network that is scanning your servers for a way in, then bringing down their network is a good thing, no?

    That is the idea here…

    Cheers,

    Chris @ Port80

    Posted by: Chris @ Port80 at 11:20 am on June 27th, 2007
  • I’d have to agree with Chad. I don’t know why you’d brag about a device that shutdown the entire TechEd network because it was probed by a hacker. Sounds really dumb to me.

    Posted by: Ben at 1:45 pm on June 27th, 2007
  • Hey Ben,

    A hacker had nothing to do with the "TechEd Incident", but the story illustrates how the device works against any network probe…

    In this case, the monitoring from Microsoft’s vendor (SmartCity) hired to handle security for TechEd’s network was aggressively probing the connections downstream to monitor for any virus outbreaks or hacking at the conference. When the monitoring software got to Port80’s booth, they started getting responses to all sorts of IP/port combinations, and time-outs, and other fun pieces of data. The result? It crashed their network…

    The analogy is that any hacker similarly scanning a network protected by a ServerMask ip100 or IP100 appliance would get similar results — their scanner like Nmap or Nessus or the like would be defeated…

    Please do take a look at the appliances and their feature set at http://www.port80software.com/products/servermask/appliances — and let us know where we can answer any question, big or small.

    Thanks for your feedback as well!

    Sincerely,

    Chris @ Port80

    Posted by: Chris @ Port80 at 2:02 pm on June 27th, 2007
  • It think the point that Chad and Ben were missing here is that as far as the ip100 was concerned the TechNet network was the hacker network as it was being used by SmartCity to to probe the ip100. If the IP’s being used by SmartCity had been added to the whitelist in the ip100 then nothing would have happened.

    Posted by: Dominic at 5:01 am on July 18th, 2007
  • You are so right, Dominic. If Port80 had had the chance to whitelist them, it may have avoided the excitement. However, we can still see the power of TCP/IP anti-recon and IDS in the story.

    Nice http://www.iis-aid.com site, Dominic!

    Cheers,

    Chris @ Port80

    Posted by: Chris @ Port80 at 12:15 pm on July 20th, 2007