Sonicwall Soho2
Hello, One of our small subsidiary needs to install a firewall. We use to work with Checkpoint products but this subsidiary has been contacted by a local Sonicwall distributor. They try to sell them a Sonicwall Soho2. We have no knowledge of this product, and I am wondering how it compares to FW-1 or other products. I would be please to receive your comments about Sonicwall. Thanks. F. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
Well, first thing to understand is that Sonicwall is transparent bridge not a router. This means that you will have to think differently with Sonicwall when you are making your routing considerations. Sonicwall is capable of generating ICMP redirect messages which is somehow called routing but this was (is?) limited to c-class networks which might be a pain in some situations. If you are using VPN's you should reconsider of using Sonicwall (it is compatible with FW-1 but configuration/troubleshooting is a lot easier when you have identical software in both ends) And of course you will lose capability of centralized management of all your firewalls. Sonicwall uses web-based interface for configuration/log browsing. Sonicwall is a simple device which is more capable to do things that it is supposed to do than FW-1 but sometimes this is not enough. So consider your requirements for firewall and then see if Sonicwall will fullfill those. I think that Sonicwall has SOHO3 models allready out which pack little bit more punch than earlier models and might have something else interesting too (I don't know), so if you end up choosing Sonicwall why not take the newest model. rgds, Harri Firewall-1 is a software which is capable of doing almost anything but sometimes you will have to create incredible kludges to make things work. (personal opinion) -Original Message- From: ext Frederic Lemoine [mailto:[EMAIL PROTECTED]] Sent: 09 January, 2002 09:31 To: [EMAIL PROTECTED] Subject: Sonicwall Soho2 Hello, One of our small subsidiary needs to install a firewall. We use to work with Checkpoint products but this subsidiary has been contacted by a local Sonicwall distributor. They try to sell them a Sonicwall Soho2. We have no knowledge of this product, and I am wondering how it compares to FW-1 or other products. I would be please to receive your comments about Sonicwall. Thanks. F. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
FireWall-1 versus Cisco
Hello everybody ! I am newbie on this mailing list and I am looking for some kind of documents which compare CheckPoint FireWall-1 and Cisco PIX / IOS, I mean good points and bad points of both products to help me making a choice in my architecture. Thanks by advance and happy new year. Gilles LAMI PS: sorry for the long disclaimer. ** Ce message électronique et tous les fichiers attachés qu'il contient sont confidentiels et destinés exclusivement à l'usage de la personne à laquelle ils sont adressés. Si vous avez reçu ce message par erreur, merci de le retourner à son émetteur. Les idées et opinions présentées dans ce messages sont celles de son auteur, et ne représentent pas nécessairement celles du Groupe HAYS plc ou d'une quelconque de ses filiales. La publication, l'usage, la distribution, l'impression ou la copie non autorisée de ce message et des attachements qu'il contient sont strictement interdits. Nous vous informons également que nous avons vérifié l'absence de virus dans ce message mais que, malgré ce contrôle, nous ne saurions être tenus pour responsables d'éventuels dégâts occasionnés par un virus non détecté. This e-mail and any attached files are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error please send it back to the person that sent it to you. Any views or opinions presented are solely those of author and do not necessarily represent those the HAYS plc group or any of its subsidiary companies. Unauthorized publication, use, dissemination, forwarding, printing or copying of this email and its associated attachments is strictly prohibited. We also inform you that we have checked that this message does not contain any virus but we decline any responsability in case of any damage caused by an a non detected virus. ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
PIX Access list
Hello, Cisco routers access lists allow the administrator define if the list must be applied to the INcoming or OUTcoming traffic of a given interface. It seems that PIX access lists dont permit that. So, my question is: if I bind a list to a interface, this list is applied against the outcoming, incoming or both kind of traffic? Thank you Edson ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Stateful inspection on PIX
Hello again, Sorry if this is a stupid question. I´ve been reading the PIX docs and it´s written that PIX is stateful. Let´s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? If not, do I have to apply an access list to allow the answers? Thanks ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Smoothwall
Does anyone on this list use SmoothWall? _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
FW-1 log viewer radiates
I'm not sure how much to make of this problem, but I know it makes me feel uneasy. Perhaps this has been discussed a lot, but I suspect the problem is not well known; it was certainly a surprise to the on- duty technician at the company that does our firewall support. Unless you tell the FW-1 log viewer not to resolve IP addresses, it appears it goes through the following process to resolve an IP address. (I *think* I have this order correct; someone PLEASE speak up if I've got it wrong.) 1. It looks in its list of Network Objects to see if you've given a name to this IP address. If it finds one, it will use this one, regardless of other methods of resolving the address. 2. It queries the IP address in question trying to resolve its Netbios name. 3. It queries DNS to reverse-resolve the IP address. The problem is #2. It appears there is no way to tell the FW-1 log viewer to continue to try to resolve IP addresses using 1 and 3 but to turn off 2. I would very much like to be able to do this. In my opinion, trying to resolve the Netbios name is a complete botch, on several counts: 1. It is generally speaking *USELESS* information. (I suppose it could be quite useful to crackers, but what good does it do *ME* in defending my system against flying infectious space junk to know that someone scanning me has named their computer PLUTO or hasn't changed it from OEMCOMPUTER?) 2. The Netbios query goes directly to the computer that is scanning me (unless the IP address is spoofed, of course ...) There are lots of reasons not to want to do this. It turns *me* into a Netbios scanner. Some people might think this impolite. It RADIATES information to the scanner. This is the part I *really* don't like. 3. As currently implemented, the Netbios name -- if one is found -- actually *HIDES* information I *do* want: the DNS information. Oh of course I can get that if I want to take the trouble to do it, but then in this case I could also turn off address resolution completely and resolve IP addresses myself one by one -- what a pain. I'm sure there's a scripted solution to this problem -- turn off address resolution and filter the log through a little bit of Perl will do the trick -- but since I've presumably paid decent money for the log viewer, I sure wish it would do the right thing ... Of course if a cracker has taken down an entire network, you radiate information just by making a DNS qurery too, but this is far less common than a cracked machine using an ISP where the DNS servers may be OK. A DNS query goes only as far as the DNS servers, but a Netbios query goes straight back to the exact machine one is concerned about: you're talking straight back to the cracker or zombie or hapless victim -- whoever sent you the scan. If I want to talk back to a machine scanning me, that should be my decision, it shouldn't happen by default just because I'm trying to make sense out of my firewall logs. I got tipped off to this problem while trying to pay attention to a particular IP address that has been scanning me on a particular port I pay careful attention to. I started noticing consistently that whenever I set a selection filter to look at just this IP address, within a few seconds I would see *NEW* ICMP entries in my log from this guy. At first this unnerved me, until I finally realized he was sending me ICMP messages in response to my Netbios queries to resolve his IP address. This particular kind of conversation with some unknown party I'm trying to keep at arm's length is profoundly uncomfortable. I sure wish Checkpoint would give me a way of turning of **JUST** Netbios name resolution!! --- #include disclaimer.h Jim Rosenberg Ross Mould E-mail: [EMAIL PROTECTED] ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Stateful inspection on PIX
-Original Message- From: Edson Yamada [mailto:[EMAIL PROTECTED]] Sent: quarta-feira, 9 de Janeiro de 2002 12:32 To: lista fw Subject: Stateful inspection on PIX Hello again, Sorry if this is a stupid question. I´ve been reading the PIX docs and it´s written that PIX is stateful. Let´s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. let´s assume a TCP packet (ok i now if you are doing zone transfers it's TCP or even in queries) because in the UDP case is a little diferent. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? yes What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? Yes when the translation is built int the PIX he also records some caracteristics in a state table (port, ip src, dst src, flags ...) then when the response comes is checked against this table to see if there is a match. If not, do I have to apply an access list to allow the answers? Nop because if there is no state to that specific packet it will be dropped. Thanks ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: PIX Access list
It's applied only to traffic entering in the interface Regards BF -Original Message- From: Edson Yamada [mailto:[EMAIL PROTECTED]] Sent: quarta-feira, 9 de Janeiro de 2002 12:28 To: lista fw Subject: PIX Access list Hello, Cisco routers access lists allow the administrator define if the list must be applied to the INcoming or OUTcoming traffic of a given interface. It seems that PIX access lists dont permit that. So, my question is: if I bind a list to a interface, this list is applied against the outcoming, incoming or both kind of traffic? Thank you Edson ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
forwarding in interfaces ethernet
Hi. I have pix 525 with 4 ethernets. 1 ethernet= inside (10.10.10.1/24) 2 ethernet= real (IP internet z.x.w.q/24) 3 ethernet= outside (IP internet a.b.c.d/24) route default is a.b.c.x I have the next rules: conduit permit icmp any any nat (real) 0 z.x.w.r 255.255.255.255 the ethernet real is inside of my LAN: Internet---outsiderealinside-LAN The clients have ip 10.10.10.x and z.x.w.r/24 The clients no problem to internet. But I no see pings from 10.10.10.x to z.x.w.r/24 I see pings from internet to z.x.w.r/24 Whats is the problem?? Thanks for your help me. -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Smoothwall
I have been using it before i disovered astaro(home network) why? /F - Original Message - From: Phil Labonte [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 2:50 PM Subject: Smoothwall Does anyone on this list use SmoothWall? _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: Well, first thing to understand is that Sonicwall is transparent bridge not a router. The Sonicwall Soho (not 2) that I have had for a couple of years is a router. It also does NAT and a set of firewall filtering functions. The device is definitely not a bridge. That is, it very clearly works at the IP level, rather than at layer 2. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] Brandenburg InternetWorking http://www.brandenburg.com tel +1.408.246.8253; fax +1.408.273.6464 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: PIX Access list
Connections on the Pix are defined as either from lower to higher security level or higher to lower security level. Lower to higher security connections are controlled by the access-list and access-group commands. Higher to lower security connections are controlled by nat and global commands. Check the following url: http://www.cisco.com/warp/public/707/28.html Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Edson Yamada Sent: Wednesday, January 09, 2002 7:28 AM To: lista fw Subject: PIX Access list Hello, Cisco routers access lists allow the administrator define if the list must be applied to the INcoming or OUTcoming traffic of a given interface. It seems that PIX access lists dont permit that. So, my question is: if I bind a list to a interface, this list is applied against the outcoming, incoming or both kind of traffic? Thank you Edson ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: FW-1 log viewer radiates
While in general I would agree with you - that the NETBIOS name is useless. The way to fix this, is of course, to run the firewall and/or management console on LINUX or SUN rather than on WinNT. :-) Dan -Original Message- From: Jim Rosenberg [mailto:[EMAIL PROTECTED]] In my opinion, trying to resolve the Netbios name is a complete botch, on several counts: 1. It is generally speaking *USELESS* information. (I suppose it could be quite useful to crackers, but what good does it do *ME* in defending my system against flying infectious space junk to know that someone scanning me has named their computer PLUTO or hasn't changed it from OEMCOMPUTER?) ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Ahhh, the perks of managing government networks
If you get fed up with SPAM and script kiddies just: access-list reject_all deny ip 210.0.0.0 255.0.0.0 any access-list reject_all deny ip 211.0.0.0 255.0.0.0 any hmm, who next, I think I remember some BO scans from poland last week... access-list reject_all deny ip 195.0.0.0 255.0.0.0 any man is it lunch time yet? I think I'll take a nap... hehe Marc.. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: FW-1 log viewer radiates
On Wed, 9 Jan 2002, Jim Rosenberg wrote: 1. It looks in its list of Network Objects to see if you've given a name to this IP address. If it finds one, it will use this one, regardless of other methods of resolving the address. 2. It queries the IP address in question trying to resolve its Netbios name. 3. It queries DNS to reverse-resolve the IP address. .. if you have WINS configured or use the the novell client it uses these methods too. = STANDARD Microsoft technics of name resolution - be as noisy as possible name resolution := computer names + user names + services + ... Regards, Achim Dreyer --- A. Dreyer, UNIX System Administrator and Internet Security Consultant ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: forwarding in interfaces ethernet
Well you left out some info. first off what are the security levels for ethernet2, and ethernet 3. Are you using syslog? what is the pix logging when you try the ping that fails? Also can you show all nat, global, and static rules for eth2, and eth3. --- Johnny Gonzalez [EMAIL PROTECTED] wrote: Hi. I have pix 525 with 4 ethernets. 1 ethernet= inside (10.10.10.1/24) 2 ethernet= real (IP internet z.x.w.q/24) 3 ethernet= outside (IP internet a.b.c.d/24) route default is a.b.c.x I have the next rules: conduit permit icmp any any nat (real) 0 z.x.w.r 255.255.255.255 the ethernet real is inside of my LAN: Internet---outsiderealinside-LAN The clients have ip 10.10.10.x and z.x.w.r/24 The clients no problem to internet. But I no see pings from 10.10.10.x to z.x.w.r/24 I see pings from internet to z.x.w.r/24 Whats is the problem?? Thanks for your help me. -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: [Security for] Analysis port for 3com 3300 was Re: (no subject)
Because this is a firewalls list, this thread can serve as a good segue into a question about switch security that has been on my mind for some time: Most switches support remote management features like web interfaces, SNMP, telnet, etc. If these switches hacked, someone can not only cause a denial of service, but use the port mirroring feature to sniff traffic. So, I am curious to know the thoughts of others in addressing this issue. (I know that some of the more expensive switches and routers can utilize encrypted passwords, but I believe community strings are still clear text, correct?) At 1/4/2002 12:10 PM, [EMAIL PROTECTED] wrote: With the 3com 3300, in order to monitor the network traffic that is traversing the 3com 3300 switch, one must configure what is called a monitor port or analysis port (under the Roving Analysis Setup) using the 3com Switch Management Software. One has to define an Analysis port (the port that is connected to the Sniffer) and a monitor port (the port that is being monitored). Once the two are defined, and it is enabled via the Switch Management software, the stack passes all the traffic going in and out of the monitor port and copies it to the analysis port. If you are attempting to monitor traffic across multiple VLANs, an analysis port must be setup in each VLAN used by the 3com 3300. Note: The analysis port should be configured to have a higher bandwidth than the monitor port, otherwise, not all traffic that is being analyzed will be captured entirely. /hope this helps /cheers, *useless memorization of switch/router configuration options.. * (these type of questions never appear on a CISSP exam.:-) /m At 11:53 AM 1/4/2002 -0800, William Stackpole wrote: Daniel, Most switches will allow one or more ports to be combined or cross connected for this very purpose. If this isn't possible then the best you can do is put the sniffer on the backbone segment attached to the switch. You wouldn't be able to see the traffic between individual switch nodes but you will be conversations out to servers, Internet connections etc. The other alternative, if this is a temporary situsation for troubleshooting purposes, you could replace the switch with a hub. -- Bill Stackpole, CISSP - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 04, 2002 11:14 AM Subject: (no subject) Hi, how do I use snnifer in a switch in a way that permits to capture all traffic ? (3com 3300) Thank's in advance, Daniel ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls * Kenneth H. Milder Los Alamos National Laboratory Computing, Communications Networking Division (CCN) Network Engineering Group(CCN-5) Network Support Team (NST)/X Division Computing Services Team (XCS) MS-F645 Los Alamos, New Mexico 87545-0010 Office: (505)667-2552 Fax: (505)665-3389 E-mail: [EMAIL PROTECTED] *
Cisco Security Advisory: Multiple Vulnerabilities in Cisco SN 5420 Storage Router
-BEGIN PGP SIGNED MESSAGE- Cisco Security Advisory: Multiple Vulnerabilities in Cisco SN 5420 Storage Routers Revision 1.0 For Public Release 2002 January 09 08:00 (UTC -0800) Summary Three vulnerabilities have been discovered in Cisco SN 5420 Storage Router software releases up to and including 1.1(5). Two of the vulnerabilities can cause a Denial-of-Service attack. The other allows an access to the SN 5420 configuration if it has been previously saved on the router. There is no workaround for these vulnerabilities. No other Cisco product is vulnerable. This advisory is available at the http://www.cisco.com/warp/public/707/SN-multiple-pub.shtml Affected Products Cisco SN 5420 Storage Routers running software release up to and including 1.1(5) are affected by the vulnerabilities. Please note that 1.1(6) version of the software was never released by Cisco. To determine your software release, type show system at the command prompt. No other Cisco products are affected. Details CSCdv24925 It is possible to read stored configuration file from the Storage Router without any authorization. CSCdu32533 By sending a HTTP request with a huge headers it is possible to crash the Storage Router. CSCdu45417 It is possible to halt the Storage Router by sending a fragmented packet over the Gigabit interface. Impact CSCdv24925 An unauthorized person may read the configuration of the Storage Router. That may lead to unauthorized access of a storage space. CSCdu32533 By exploiting this vulnerability an attacker can cause Denial-of-Service. CSCdu45417 By exploiting this vulnerability an attacker can cause Denial-of-Service. Software Versions and Fixes All three vulnerabilities are fixed in the release 1.1(7) of the software, which is available on CCO. Please note that version 1.1(6) of the software was never released by Cisco. Obtaining Fixed Software Cisco is offering free software upgrades to eliminate this vulnerability for all affected customers. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [EMAIL PROTECTED] Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either [EMAIL PROTECTED] or [EMAIL PROTECTED] for software upgrades. Workarounds CSCdv24925 It is possible to mitiagte this vulnerability by blocking access on the network's edge and by using hard to guess names for saved configuration. CSCdu32533 There is no workaround for this vulnerability. CSCdu45417 There is no workaround for this vulnerability. Exploitation and Public Announcements The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found internally during product testing. Status of This Notice: FINAL This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. A standalone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and
Subject: PIX Access list
In the PIX configuration Access Lists are for outbound traffic. Use the Conduit command for inbound controls. Message: 3 Date: Wed, 9 Jan 2002 10:27:49 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: PIX Access list Hello, Cisco routers access lists allow the administrator define if the list must be applied to the INcoming or OUTcoming traffic of a given interface. It seems that PIX access lists dont permit that. So, my question is: if I bind a list to a interface, this list is applied against the outcoming, incoming or both kind of traffic? Thank you Edson --__--__-- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Stateful Pix
Yes the PIX will allow the answers to the DNS queries back in without any other configuration. Message: 4 Date: Wed, 9 Jan 2002 10:32:19 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: Stateful inspection on PIX Hello again, Sorry if this is a stupid question. I´ve been reading the PIX docs and it´s written that PIX is stateful. Let´s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? If not, do I have to apply an access list to allow the answers? Thanks ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Subject: PIX Access list
In newer PIX code (5.3x + I think) you can use access-lists both ways...you can do away with conduit commands all together if you wish.. cheers.. Chew, Freeland (Roanoke) [EMAIL PROTECTED] 01/09 12:34 PM In the PIX configuration Access Lists are for outbound traffic. Use the Conduit command for inbound controls. Message: 3 Date: Wed, 9 Jan 2002 10:27:49 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: PIX Access list Hello, Cisco routers access lists allow the administrator define if the list must be applied to the INcoming or OUTcoming traffic of a given interface. It seems that PIX access lists dont permit that. So, my question is: if I bind a list to a interface, this list is applied against the outcoming, incoming or both kind of traffic? Thank you Edson --__--__-- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: [Security for] Analysis port for 3com 3300 was Re: (no subject)
On Wed, 9 Jan 2002, Ken Milder wrote: Because this is a firewalls list, this thread can serve as a good segue into a question about switch security that has been on my mind for some time: Most switches support remote management features like web interfaces, SNMP, telnet, etc. If these switches hacked, someone can not only cause a denial of service, but use the port mirroring feature to sniff traffic. So, I am curious to know the thoughts of others in addressing this issue. (I know that some of the more expensive switches and routers can utilize encrypted passwords, but I believe community strings are still clear text, correct?) My take- If you need to manage a switch, you've got WAY too much time on your hands. I've never put an IP address on a switch, and can't see any valid reason for doing so that isn't better done at some other level or via a different vector (such as a terminal server wired to console ports.) In-band management wasn't good for the phone system, and it's not good for IP networks. Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Subject: PIX Access list
Ok let me clarify something, I sense a bit of confusion here.. You need to free yourself from this INcomming/OUTgoing concept you are using, when referring to the PIX ok? Because you can only ever see ONE interface depending on which side of the device youre on (if your architecture is designed properly). You apply your access lists to the interface...period...the direction for data flow is irrelevant. If you want to restrict what traffic enters your network from the OUTSIDE (usually the internet) you apply the access-list to that interface (Usually OUTSIDE interface or Eth0).. If you want to restrict what traffic goes out of your network from your internal hosts you apply the access-list to the interface that your internal hosts are hitting. (Usually the INSIDE interface or Eth1). clear as mud?? Date: Wed, 9 Jan 2002 10:27:49 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: PIX Access list Hello, Cisco routers access lists allow the administrator define if the list must be applied to the INcoming or OUTcoming traffic of a given interface. It seems that PIX access lists dont permit that. So, my question is: if I bind a list to a interface, this list is applied against the outcoming, incoming or both kind of traffic? Thank you Edson --__--__-- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Stateful Pix
Not a stupid question at all, The default configuration will let DNS queries pass yes..However if you use the defualt config, you might as well put your PIX back in the box and return it, and get your 15k back. You need to create access lists to DENY EVERYTHING. first. Then add access-lists for the traffic you want to allow. For example if you want to enable web traffic you need to create acces-lists to allow UDP domain queries, and another access-list to allow web (eq www) queries.. Now if you have devices in your DMZ and/or are running NAT it gets slightly more complicated, but not much.. cheers.. Marc.. Date: Wed, 9 Jan 2002 10:32:19 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: Stateful inspection on PIX Hello again, Sorry if this is a stupid question. I ve been reading the PIX docs and it s written that PIX is stateful. Let s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? If not, do I have to apply an access list to allow the answers? Thanks ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: [Security for] Analysis port for 3com 3300 was Re: (no subject)
I don't understand what you are saying. Are you suggesting that you simply unpack your switches and plug them into the network right from the box? Please don't say it's so, you've posted a lot of good thoughts in the past, and I can't believe you'd actually suggest that now. Bear in mind that a lot of switches out of the box grab an IP address via bootp all on their own, and also tend to have web management enabled with default passwords. IP addresses on switches are in my opinion a very good idea, because then I can monitor the traffic of each port on the switch, whereas otherwise I'd have to load snmp agents on each server. Not only that, but it's a very common management model in businesses to have separate WAN and LAN teams. The person monitoring the switches often doesn't have any administrative access to the servers. On Wed, 9 Jan 2002, Paul Robertson wrote: On Wed, 9 Jan 2002, Ken Milder wrote: Because this is a firewalls list, this thread can serve as a good segue into a question about switch security that has been on my mind for some time: Most switches support remote management features like web interfaces, SNMP, telnet, etc. If these switches hacked, someone can not only cause a denial of service, but use the port mirroring feature to sniff traffic. So, I am curious to know the thoughts of others in addressing this issue. (I know that some of the more expensive switches and routers can utilize encrypted passwords, but I believe community strings are still clear text, correct?) My take- If you need to manage a switch, you've got WAY too much time on your hands. I've never put an IP address on a switch, and can't see any valid reason for doing so that isn't better done at some other level or via a different vector (such as a terminal server wired to console ports.) In-band management wasn't good for the phone system, and it's not good for IP networks. Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
help
Please unsubscribe me from your list for the last time. Curtis Hunt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 3:54 PM To: [EMAIL PROTECTED] Subject: Firewalls digest, Vol 1 #449 - 9 msgs Send Firewalls mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Firewalls digest... Today's Topics: 1. Re: [Security for] Analysis port for 3com 3300 was Re: (no subject) (Ken Milder) 2. Cisco Security Advisory: Multiple Vulnerabilities in Cisco SN 5420 Storage Router (Cisco Systems Product Security Incident Response Team) 3. Subject: PIX Access list (Chew, Freeland (Roanoke)) 4. Stateful Pix (Chew, Freeland (Roanoke)) 5. Re: Subject: PIX Access list (Network Operations) 6. Re: [Security for] Analysis port for 3com 3300 was Re: (no subject) (Paul Robertson) 7. Re: Subject: PIX Access list (Network Operations) 8. Re: Stateful Pix (Network Operations) --__--__-- Message: 1 Date: Wed, 09 Jan 2002 13:02:26 -0700 To: [EMAIL PROTECTED] From: Ken Milder [EMAIL PROTECTED] Subject: Re: [Security for] Analysis port for 3com 3300 was Re: (no subject) Cc: [EMAIL PROTECTED] --=_618238029==_.ALT Content-Type: text/plain; charset=us-ascii; format=flowed Because this is a firewalls list, this thread can serve as a good segue into a question about switch security that has been on my mind for some time: Most switches support remote management features like web interfaces, SNMP, telnet, etc. If these switches hacked, someone can not only cause a denial of service, but use the port mirroring feature to sniff traffic. So, I am curious to know the thoughts of others in addressing this issue. (I know that some of the more expensive switches and routers can utilize encrypted passwords, but I believe community strings are still clear text, correct?) At 1/4/2002 12:10 PM, [EMAIL PROTECTED] wrote: With the 3com 3300, in order to monitor the network traffic that is traversing the 3com 3300 switch, one must configure what is called a monitor port or analysis port (under the Roving Analysis Setup) using the 3com Switch Management Software. One has to define an Analysis port (the port that is connected to the Sniffer) and a monitor port (the port that is being monitored). Once the two are defined, and it is enabled via the Switch Management software, the stack passes all the traffic going in and out of the monitor port and copies it to the analysis port. If you are attempting to monitor traffic across multiple VLANs, an analysis port must be setup in each VLAN used by the 3com 3300. Note: The analysis port should be configured to have a higher bandwidth than the monitor port, otherwise, not all traffic that is being analyzed will be captured entirely. /hope this helps /cheers, *useless memorization of switch/router configuration options.. * (these type of questions never appear on a CISSP exam.:-) /m At 11:53 AM 1/4/2002 -0800, William Stackpole wrote: Daniel, Most switches will allow one or more ports to be combined or cross connected for this very purpose. If this isn't possible then the best you can do is put the sniffer on the backbone segment attached to the switch. You wouldn't be able to see the traffic between individual switch nodes but you will be conversations out to servers, Internet connections etc. The other alternative, if this is a temporary situsation for troubleshooting purposes, you could replace the switch with a hub. -- Bill Stackpole, CISSP - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 04, 2002 11:14 AM Subject: (no subject) Hi, how do I use snnifer in a switch in a way that permits to capture all traffic ? (3com 3300) Thank's in advance, Daniel ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls * Kenneth H. Milder Los Alamos National Laboratory Computing, Communications Networking Division (CCN) Network Engineering Group(CCN-5) Network Support Team (NST)/X Division Computing Services Team (XCS) MS-F645 Los Alamos, New Mexico 87545-0010 Office: (505)667-2552 Fax: (505)665-3389 E-mail:
Re: [Security for] Analysis port for 3com 3300 was Re: (no subject)
Paul, Thanks for your comments. You must have a small network. We have several hundred subnets and thousands of nodes. Gathering traffic statistics, installing patches and software upgrades, trouble shooting, and other network management functions make remote management of our switches essential. It is inefficient to have a tech jump into a truck and drive 20 miles to a remote site every time we need to trouble shoot a compliant about poor network performance. Take care, -Ken At 1/9/2002 04:18 PM, Paul Robertson wrote: On Wed, 9 Jan 2002, Ken Milder wrote: Because this is a firewalls list, this thread can serve as a good segue into a question about switch security that has been on my mind for some time: Most switches support remote management features like web interfaces, SNMP, telnet, etc. If these switches hacked, someone can not only cause a denial of service, but use the port mirroring feature to sniff traffic. So, I am curious to know the thoughts of others in addressing this issue. (I know that some of the more expensive switches and routers can utilize encrypted passwords, but I believe community strings are still clear text, correct?) My take- If you need to manage a switch, you've got WAY too much time on your hands. I've never put an IP address on a switch, and can't see any valid reason for doing so that isn't better done at some other level or via a different vector (such as a terminal server wired to console ports.) In-band management wasn't good for the phone system, and it's not good for IP networks. Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls * Kenneth H. Milder Los Alamos National Laboratory Computing, Communications Networking Division (CCN) Network Engineering Group(CCN-5) Network Support Team (NST)/X Division Computing Services Team (XCS) MS-F645 Los Alamos, New Mexico 87545-0010 Office: (505)667-2552 Fax: (505)665-3389 E-mail: [EMAIL PROTECTED] *
Re: [Security for] Analysis port for 3com 3300 was Re: (no subject)
On Wed, 9 Jan 2002 [EMAIL PROTECTED] wrote: I don't understand what you are saying. Are you suggesting that you simply unpack your switches and plug them into the network right from the box? No, I'm saying that I've always tried to avoid plugging in a switch which was configured to talk IP on a production network (Ciscos used to come out the box that way- I tend to buy cheaper/dumber devices these days.) IP addresses on switches are in my opinion a very good idea, because then I can monitor the traffic of each port on the switch, whereas otherwise I'd have to load snmp agents on each server. Not only that, but it's a very common management model in businesses to have separate WAN and LAN teams. The person monitoring the switches often doesn't have any administrative access to the servers. It's been probably 8 years since I've done anything with snmp that didn't count as turning it off. When I've needed to check the status of a server's service, I've done it by checking the actual service itself. When I've needed to check on equipment, I've done it through the console port wired to a terminal server to get away from in-band management issues. The single time I've been mandated to build in management, it got its own network (it was a router cloud- the switches still didn't get IP addresses.) To me, the benefit argument in the cost/benefit/risk analysis hasn't ever met the bar for managing switches. Buying more devices and building redundancy in up-front, or buying cheaper devices and cascading new gear in before anywhere near the MTBF both seem to me to be much better solutions than in-band managment. Unlike MAUs, CAUs and LAMs, I think I've only seen two Ethernet switch failures ever, and one was DOA. I've never been a huge fan of the router/switch/cusinart devices either though... Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: help
On Wed, Jan 09, 2002 at 05:12:25PM -0500, Hunt, Curtis wrote: Please unsubscribe me from your list for the last time. I think this URL, given in every mailing from the list, will help you: To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] -- : Stilgherrian, Director of Operations, prussia.net : Internet infrastructure services focussing on the essentials : http://www.prussia.net/ : ARBN BN97858688, ABN 15 148 757 893 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Stateful Pix
Actually DNS Guard in the PIX only allows one (the first) DNS response back. All others are dropped. At 01:53 PM 1/9/2002 -0800, Chew, Freeland (Roanoke) [EMAIL PROTECTED] wrote: Message: 4 From: Chew, Freeland (Roanoke) [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Stateful Pix Date: Wed, 9 Jan 2002 15:36:41 -0500 Yes the PIX will allow the answers to the DNS queries back in without any other configuration. Message: 4 Date: Wed, 9 Jan 2002 10:32:19 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: Stateful inspection on PIX Hello again, Sorry if this is a stupid question. I=B4ve been reading the PIX docs and it=B4s written that PIX is stateful. Let=B4s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? If not, do I have to apply an access list to allow the answers? Thanks ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: [Security for] Analysis port for 3com 3300 was Re: (no subject)
On Wed, 9 Jan 2002, Ken Milder wrote: Paul, Thanks for your comments. You must have a small network. We have several I've built and run networks from the tens of devices to the tens of thousands. hundred subnets and thousands of nodes. Gathering traffic statistics, installing patches and software upgrades, trouble shooting, and other network management functions make remote management of our switches essential. It is inefficient to have a tech jump into a truck and drive 20 I've seen two switch failures on switches I've procured since Ethernet switches became popular, one was DOA, and the other was locked up so that you couldn't remotely access it. If you've got any significant number of switch failures, then either your vendor needs a good dressing down, and your POs need a MTBF clause, or you're under capitalizing your network infrastructure. If it's a dumb switch, there's no need for software upgrades or patches. That leaves troubleshooting- and other than one set of Ethernet cards doing poor autonegotiation, I've yet to see a significant layer 2 problem on Ethernet which wasn't easily troubleshot without SNMP or switch stats- and most of those could be shot from either a host or a router. miles to a remote site every time we need to trouble shoot a compliant about poor network performance. If you're troublshooting performance issues on a regular basis, I'd suggest that your efforts really need to be directed towards building out a more robust architecture, or educating your users to build network infrastructure dollars into new projects to support their workloads. Networking existed pretty happily before people put SNMP on switches, even large robust networks. It's been my experience that most of the time, the very cause of trouble is the network layer, so once again, in-band management sucks for diagnosing it. That's why I like terminal servers wired to console ports where remote diagnosis is necessary. Another more useful trick if you're using large core switches is to out-of-band the console port and keep a sniffer on one port that you can span onto one of the VLANs. Sniffers are a heck of a lot more useful for diagnostics than built-in switch statistics IMO. FWIW, I've never had responsibility an internetwork with more than ~3,000 local users, and about 150 remote sites. Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: forwarding in interfaces ethernet
I no use syslog. I have this configuration in my pix: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 real security10 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside x.y.z.130 255.255.255.192 ip address inside 10.10.10.1 255.255.255.0 ip address real q.w.r.1 255.255.255.0 global (outside) 1 a.b.c.1-a.b.c.253 netmask 255.255.255.0 global (outside) 1 a.b.c.254 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any Thanks for your help me. On Wed, 2002-01-09 at 13:11, bob bobing wrote: Well you left out some info. first off what are the security levels for ethernet2, and ethernet 3. Are you using syslog? what is the pix logging when you try the ping that fails? Also can you show all nat, global, and static rules for eth2, and eth3. --- Johnny Gonzalez [EMAIL PROTECTED] wrote: Hi. I have pix 525 with 4 ethernets. 1 ethernet= inside (10.10.10.1/24) 2 ethernet= real (IP internet z.x.w.q/24) 3 ethernet= outside (IP internet a.b.c.d/24) route default is a.b.c.x I have the next rules: conduit permit icmp any any nat (real) 0 z.x.w.r 255.255.255.255 the ethernet real is inside of my LAN: Internet---outsiderealinside-LAN The clients have ip 10.10.10.x and z.x.w.r/24 The clients no problem to internet. But I no see pings from 10.10.10.x to z.x.w.r/24 I see pings from internet to z.x.w.r/24 Whats is the problem?? Thanks for your help me. -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Stateful Pix
Doesnt it make ya just wanna go hug it? Brian Ford [EMAIL PROTECTED] 01/09 2:29 PM Actually DNS Guard in the PIX only allows one (the first) DNS response back. All others are dropped. At 01:53 PM 1/9/2002 -0800, Chew, Freeland (Roanoke) [EMAIL PROTECTED] wrote: Message: 4 From: Chew, Freeland (Roanoke) [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Stateful Pix Date: Wed, 9 Jan 2002 15:36:41 -0500 Yes the PIX will allow the answers to the DNS queries back in without any other configuration. Message: 4 Date: Wed, 9 Jan 2002 10:32:19 -0200 (BRST) From: Edson Yamada [EMAIL PROTECTED] To: lista fw [EMAIL PROTECTED] Subject: Stateful inspection on PIX Hello again, Sorry if this is a stupid question. I=B4ve been reading the PIX docs and it=B4s written that PIX is stateful. Let=B4s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? If not, do I have to apply an access list to allow the answers? Thanks ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: help
Curtis, You are sending your request to the wrong address. As you can see in the e-mail you included, you need to send subscribe/unsubscribe requests to '[EMAIL PROTECTED]'. You are sending your e-mail to the mailing list submissions address. Greg S. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: forwarding in interfaces ethernet
Get rid of: nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 Instead use: nat (real) 0 access-list real access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.5 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.6 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.7 255.255.255.255 You can tighten these as you need after you get things working. And, while youre at it, why these two lines? conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any You may want to have a look at: http://www.cisco.com/warp/public/707/index.shtml#IOS Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Johnny Gonzalez Sent: Wednesday, January 09, 2002 6:01 PM To: bob bobing Cc: Lista de firewall Subject: Re: forwarding in interfaces ethernet I no use syslog. I have this configuration in my pix: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 real security10 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside x.y.z.130 255.255.255.192 ip address inside 10.10.10.1 255.255.255.0 ip address real q.w.r.1 255.255.255.0 global (outside) 1 a.b.c.1-a.b.c.253 netmask 255.255.255.0 global (outside) 1 a.b.c.254 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any Thanks for your help me.
RE: forwarding in interfaces ethernet
Thanks, i resolve the problem with the next line. global (real) 1 q.w.r.4 And the users in inside see the user in the real. i use PAT the lines of nat in real is in use. On Wed, 2002-01-09 at 18:32, Glenn Shiffer wrote: Get rid of: nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 Instead use: nat (real) 0 access-list real access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.5 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.6 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.7 255.255.255.255 You can tighten these as you need after you get things working. And, while you're at it, why these two lines? conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any You may want to have a look at: http://www.cisco.com/warp/public/707/index.shtml#IOS Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Johnny Gonzalez Sent: Wednesday, January 09, 2002 6:01 PM To: bob bobing Cc: Lista de firewall Subject: Re: forwarding in interfaces ethernet I no use syslog. I have this configuration in my pix: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 real security10 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside x.y.z.130 255.255.255.192 ip address inside 10.10.10.1 255.255.255.0 ip address real q.w.r.1 255.255.255.0 global (outside) 1 a.b.c.1-a.b.c.253 netmask 255.255.255.0 global (outside) 1 a.b.c.254 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any Thanks for your help me. -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: forwarding in interfaces ethernet (in a more readable form)
Get rid of: nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 Instead use: nat (real) 0 access-list real access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.5 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.6 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.7 255.255.255.255 You can tighten these as you need after you get things working. And, while you're at it, why these two lines? conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any You may want to have a look at: http://www.cisco.com/warp/public/707/index.shtml#IOS Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Johnny Gonzalez Sent: Wednesday, January 09, 2002 6:01 PM To: bob bobing Cc: Lista de firewall Subject: Re: forwarding in interfaces ethernet I no use syslog. I have this configuration in my pix: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 real security10 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside x.y.z.130 255.255.255.192 ip address inside 10.10.10.1 255.255.255.0 ip address real q.w.r.1 255.255.255.0 global (outside) 1 a.b.c.1-a.b.c.253 netmask 255.255.255.0 global (outside) 1 a.b.c.254 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any Thanks for your help me. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
how does outgoing nat work exactly?
HI there, When an internal machine attempts to connect to a webserver thru a firewall (linux iptables) what is the exact mechanisim? Is there a good explaination on the net? Please correct me if I'm wrong, my understanding is the internal machine's browser tries to connect to www.redhat.com port 80, the firewall takes the packet and rewrites the IP to be its own and selects an outgoing port on the internet side of the firewall, keeps the external port, the internal IP and port in a table, the webserver responds back to the firewall, the firewall sees the response back to the external port, looks up the entry in the table, rewrites the destination IP and port to be the internal machine's IP and port. Is this a reasonable assumption? Or am I out in left field. far out? TIA ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
PIX-no nat config
I'm seeking some help from a PIX expert. I have the following configuration ^ To Internet,head router (2) I I 215.x.x.1 (external PIX address) --- | PIX 515 | | V 6.1 | --- I 192.168.21.1 (internal IP Address) I I 192.168.21.2 --4142Serial Link to 206.x.x.0 /24 I Cisco 2621| (Real address) -- 205.x.x.240/30 | I 10.10.10.0 /24 The remote office running real address (206.x.x.0 /24) needs to run no-nat to outside, and mail and ftp servers in it will need public access to outside toinside.I tried the following open config (only to test the no-NAT issues) ip address outside215.x.x.3 255.255.255.0 ip address inside 192.168.21.1 255.255.255.248 access-list outside permit ip any any access-list inside permit ip any any access-list no-nat-inside permit ip 206.x.x.0 255.255.255.0 206.x.x.0 255.255.255.0 access-list no-nat-inside permit ip any any global (outside) 1 interface nat (inside) 0 access-list no-nat-inside nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 206.x.x.2 206.x.x.2 netmask 255.255.255.255 0 0 (mail server)access-group outside in interface outside access-group inside in interface inside route outside 0.0.0.0 0.0.0.0215.x.x.2 1 (to outside) route inside 10.10.10.0 255.255.255.0 192.168.21.2 1 route inside 206.x.x.0 255.255.255.0 192.168.21.2 2 I'm testing making telnet to the internal mail server from outsidebut always the result is: Dec 31 12:30:45 [192.168.21.1.2.2] %PIX-3-106011: Deny inbound (No xlate) tcp src inside:215.x.x.5/33152 dst inside:206.x.x.2/25 Any idea??? Help is welcome Ileana [EMAIL PROTECTED]
Re: Is It possible to trace a hacker, and on Diffie-Hellman
Robert, to comment on the first half of your posting at least (the maths of cryptography is still something I haven't explored)... On Sun, Jan 06, 2002 at 06:30:16PM -0500, [EMAIL PROTECTED] wrote: Last summer my PC was attacked by a malicious hacker who used a Trojan Horse NetBus. My Norton Personal Firewall alerted me about all five attacks, but I panicked, shut down and rebooted, but by doing that, somehow the malicious hacker got my username and password and even my email address (all replaced). He even took over my Norton firewall somehow and shut me out so that I could not reconfigure it or even do anything at all in my MSDOS screen to find mysterious or renamed Windows files. I was terrified that somehow this malicious hacker would get into the computer network at the university I am affiliated with. Knowing universities, chances are the attacker was *already* inside the network. Universities are chock full of unattended computers, all inside the firewall defences, and all capable of being used maliciously. The statistics show that 80%-ish of informaton security incidents come from insiders. And it's almost a rite of passage for a computing science student to break open a system. In the case of NetBus, at some point someone actually had to install the trojan on your computer. This is easier than you might imagine. Is your computer *always* under lock and key when not in use? Do you *never* run software downloaded from anywhere except official sources, and then only after thorough scanning with today's anti-virus software? Have you religiously installed *every* security update for your operating system and application software? Really? :) Once NetBus is on your machine, the attacker has complete control. Literally anything can be done with your computer at that point, so it's no surprise to hear that the machine was very weird thereafter. Sending your usernames and passwords to some external site is trivial. I know hackers use what is known as spoofing IP addresses. But in spite of that I was wondering is there any way law enforcement experts or computer security specialists can trace a hacker's whereabouts? Even packets with spoofed origins have to come from somewhere. And if the attacker is actually wanting to *use* your computer (as opposed to just flooding it with garbage that could literally come from anywhere) then they need to use a real IP address so they can interact. Assuming that they *are* using a real IP address, yes, they can be traced. Or at least the computer can be traced. It's harder to prove that some specific individual was sitting in front of it. Every IP address belongs to someone, and that information is stored in the globally-distributed WHOIS database. If it's a typical connection through an ISP, then the ISP will have logs showing which customer account was using that IP address the time. If it's a dial-up line and the ISP logs caller ID info, then they can also match it to a specific telephone line. The issues aren't so much whether the information is *possible* to obtain but whether it's *practical* to obtain and *useful* when you get it. Even if a real IP address is being used, consider: * ISPs generally protect the privacy of their users, and will probably only release logs to law enforcement agencies. Are the police (probably under-resourced for Internet work) at all interested in your case? * The ISP says the IP address in question belongs to an Internet cafe which uses Network Address Translation (NAT), allowing them to put 100 computers on the Internet through one IP address. So which of those machines was used for the attack? Who knows! Who was sitting at that computer? I dunno, they just came in and paid cash for a half-hour session. * The IP address belongs to a dial-up customer, but when the customer is asked he says he doesn't know anything about what you're claiming. Besides, the kids use the computer -- and they're all such *good* boys... * The IP address belongs to some generic ISP in China or Uzbekistan or Bolivia or somewhere else where they don't give a toss about following up Internet crime. End of investigation. [Important note for American readers: Most Internet users are somewhere other than the United States. Most websites are in languages other than English. The FBI is a *US* law-enforcement body. US law doesn't apply outside the US. Sorry to whinge, but it's an important point and often completely overlooked.] * Attackers will sometimes (often?) use multiple trans-national links to cover their tracks further. Yep, the machine that attacked you was in, say, Florida. But looking closer reveals that *that* machine was itself attacked and under control of a machine in France. That machine was hacked from Moscow, and that one from ... you get the idea. * Due to some miracle, the attack can be traced to a specific
PIX 515 Freezing
I hope i am writing this to someone who can assist me. I am trying to find out why my cisco pix 515 firewall keeps freezing. the problem has been around for some time now and is getting worse as we are getting an increase in traffic. Some Cisco Pix 515, 515-DC and 506 Firewalls have suffered system hangs when traffic on the network becomes too heavy, requiring IS staff to manually restart the firewall, Cisco reported in an Oct. 18 field notice on its Web site. Cisco expects the problem to occur most often in the 515 models, which are designed for corporate central offices, but said it may also happen in 506 units in some cases. The 506 is designed for branch offices, which tend to experience lower traffic levels. This seems to sum up the issues I am having. I don't know what purchase dates but I purchased my firewall in May 2000 oh and I am in Sydney Australia. Thanks for your assistance. Regards pat __ Patrick Hammond CEO OZeStock Pty Ltd 74 Pitt Street Suite 505 Sydney NSW 2000 PH: 02 9222 9645 FAX: 02 9222 9844 MOBILE: 0412 332 717 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Is It possible to trace a hacker, and on Diffie-Hellman
Yes it is possible to track a hacker but unless you have proof and can trace it to someone in the US it's a moot point. If you want to trace an attacker you should have the following: 1. An active intrusion detection system (IDS) that can perform a trace back to the source regardless of spoofing. 2. Detailedlogging of your perimeter router, firewall and intrusion detection system. 3. Daily review of the log filesand immediate actionif any penetrations are detected. Immediate action is required because most ISPs do not maintain adequate records. 4. Proof that a crime was actually committed, i.e., server, firewall, ids logs. The DOJ will not prosecutedoor knocking. (Most ISPs have abusepolicies and will terminate service for door knockers.) . To aid in the prosecution of perpetrators security banners should also be in place. Most of our attack attempts come from Eastern Europe and China. In this case finding that an attack came from Chinese university is useless. Since the key to security is prevention I use the IDS to dynamically block sites once a hack attempt is detected. While you may not have an IDS, youshould monitor your log files and place access lists on you perimeter router and firewall.Also,security patches,updated software, and browser and system security settingsmight have prevented your Netbus attack. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, January 06, 2002 5:30 PM Subject: Is It possible to trace a hacker, and on Diffie-Hellman My background is not computer security, but mathematics, and I was wondering if I might be humbly allowed to ask a question: Last summer my PC was attacked by a malicious hacker who used a Trojan Horse NetBus. My Norton Personal Firewall alerted me about all five attacks, but I panicked, shut down and rebooted, but by doing that, somehow the malicious hacker got my username and password and even my email address (all replaced). He even took over my Norton firewall somehow and shut me out so that I could not reconfigure it or even do anything at all in my MSDOS screen to find mysterious or renamed Windows files. I was terrified that somehow this malicious hacker would get into the computer network at the university I am affiliated with. Incidentally, two months ago a hacker got into the Apple computer of one of the professor's in the Mathematics Department. I learned after he gave me a research paper to read, because there was a computer technician there working on his PC to help him reinstall his backed up files. I know hackers use what is known as "spoofing" IP addresses. But in spite of that I was wondering is there any way law enforcement experts or computer security specialists can trace a hacker's whereabouts? Some years back there wereseveral Scientific American articles in one issue on these matters, that is, firewalls, malicious hackers, attacks on networks, denial of service attacks, etc. But I could not follow very well the peculiar, nearly "fictional narrative" one of the contributors to these Scientific American articles gave to show how the network administrator and the FBI caught the fictitious hacker in the article. If there presently is no way at all for someone in authority, network administrators, or computer security specialists to locate a hacker's whereabouts, then perhaps research should best be focused in this area. Incidentally someone posted some information about the Diffie-Hellman algorithm (actually called in Number Theorya certain kind of exponentiation cipher), saying that the keys are found by using elements of a finite group (a finite field, actually), which is quite true. Suppose parties A and B want a common key. Then if they use a cryptosystem like DES, they take two elements h and k from that finite field, multiply them together, then raise the integer b to the power hk, or b^hk. This is the common key, and A sends b^h to B, B sends b^k to A, and both are able to decipher the encrypted messages. Usually the integers h and k are very large prime numbers, too large for a malicious hacker to guess. Thanking you for your patience in advance, Robert Betts
Re: forwarding in interfaces ethernet
the idea of glenn is fine, but the interface real has a lower security level than inside. therefore you must replace nat (real) 0 access-list real by nat (inside) 0 access-list real your global entry for interface real is another way, depending on you, what ever you want. dirk Johnny Gonzalez wrote: Thanks, i resolve the problem with the next line. global (real) 1 q.w.r.4 And the users in inside see the user in the real. i use PAT the lines of nat in real is in use. On Wed, 2002-01-09 at 18:32, Glenn Shiffer wrote: Get rid of: nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 Instead use: nat (real) 0 access-list real access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.5 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.6 255.255.255.255 access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.7 255.255.255.255 You can tighten these as you need after you get things working. And, while you're at it, why these two lines? conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any You may want to have a look at: http://www.cisco.com/warp/public/707/index.shtml#IOS Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Johnny Gonzalez Sent: Wednesday, January 09, 2002 6:01 PM To: bob bobing Cc: Lista de firewall Subject: Re: forwarding in interfaces ethernet I no use syslog. I have this configuration in my pix: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 real security10 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside x.y.z.130 255.255.255.192 ip address inside 10.10.10.1 255.255.255.0 ip address real q.w.r.1 255.255.255.0 global (outside) 1 a.b.c.1-a.b.c.253 netmask 255.255.255.0 global (outside) 1 a.b.c.254 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 nat (real) 0 q.w.r.5 255.255.255.255 0 0 nat (real) 0 q.w.r.6 255.255.255.255 0 0 nat (real) 0 q.w.r.7 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp any range 1024 65535 any conduit permit udp any range 1024 65535 any Thanks for your help me. -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: PIX-no nat config
first: welcome to past! what's about your date? or was the mail hanging some days at a mailserver? there are some mistakes inside the configuration. did you have tested a connection from network 10.10.10.x to the internet? you have mixed 3 types of nat. the priority is nat (...) 0 access-list static (...,...) . nat () 1 .. at first, the access-list no-nat-inside isn't correct. access-list no-nat-inside permit ip 206.x.x.0 255.255.255.0 206.x.x.0 255.255.255.0 access-list no-nat-inside permit ip any any the first line will never match, the second line should match at every paket. i would suggest to you, removing the nat (inside) 0 access-list ... first. than we will see, what's going on. dirk ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls