Re: Using Cisco IOS firewall feature set (fwd)
Is the list software still running amok? I still seem to be getting dupes of old posts, mine and others': -- Forwarded message -- Date: Thu, 17 Jan 2002 10:08:46 -0600 (CST) From: Ron DuFresne [EMAIL PROTECTED] To: Michael Janke [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Using Cisco IOS firewall feature set On Thu, 17 Jan 2002, Michael Janke wrote: [SNIP] I don't think that CBAC itself adds much to the processor load, but because CBAC works by adding an ACL entry for every TCP/UDP session, the ACL can grow to be quite long. We had a site decide to teach their students how to port scan. Each student lit off their own nmap session pointed it at a remote site. That created enough ACL entries to overload a 2600. In past discussions on this, it has been strongly suggested that CBAC is costly, on mem and CPU,m and that reflexsive ACL's might be a better choice of options. Chris Breton and Ben Nagy might beable to add to this... Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Comparison between checkpoint and Cisco IOS firewall
IOS Less price Less work Checkpoint More price More work IOS has a very basic functionality but checkpoint has some advanced features. It depends on your requirement. Prathabacimman.M -Original Message- From: vishwas asemend [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 5:56 AM To: [EMAIL PROTECTED] Subject: Comparison between checkpoint and Cisco IOS firewall Hi all, I want to choose a firewall. and finally i came to two firewall , checkpoint and cisco-ios can anybody tell me the advantages and disadvantages of cisco_ios and checpoint NG or 4.1 Regards Vish Get your free email from http://www.netjaal.com ___ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Comparison between checkpoint and Cisco IOS firewall
Hi all, I want to choose a firewall. and finally i came to two firewall , checkpoint and cisco-ios can anybody tell me the advantages and disadvantages of cisco_ios and checpoint NG or 4.1 Regards Vish Get your free email from http://www.netjaal.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Comparison between checkpoint and Cisco IOS firewall
With these kind of questions it would be helpful to know what kind of environment you have and what are the requirements for firewall. Such as number of users, number of firewalls, protocols routed through fw(http, SQL*Net, ftp, etc..), High availability requirements, routing protocols.. You didn't mention if you were considering Cisco IOS with or without firewall feature set. Or could it be that you mean Cisco PIX not IOS? Cisco IOS primary function is routing and Checkpoint NG's primary function is filtering traffic. Cisco IOS with firewall feature set (or even without) can be quite enough for certain environments. Even large corporations with certain characteristics. rgds, Harri -Original Message- From: ext vishwas asemend [mailto:[EMAIL PROTECTED]] Sent: 17 January, 2002 11:56 To: [EMAIL PROTECTED] Subject: Comparison between checkpoint and Cisco IOS firewall Hi all, I want to choose a firewall. and finally i came to two firewall , checkpoint and cisco-ios can anybody tell me the advantages and disadvantages of cisco_ios and checpoint NG or 4.1 Regards Vish Get your free email from http://www.netjaal.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Comparison between checkpoint and Cisco IOS firewall
Good day, Vish - We attempted to use the Cisco + IOS firewalling feature to do three things: 1) act as the external routers for our sites and augment the Checkpoint firewalls we already had on site. 2) provide local access to Internet services (www, telnet, ftp, etc) 3) connect to the corporate infrastructure via IPSec VPN. Just between you and me, I'll be hornswaggled if I can see much difference between the IOS configuration and a suite of standard access lists. But be that as it may, here is what we found: 1) This works to provide ingress filtering and outgoing NAT. But you don't need IOS to do that. 2) This works... But you still don't need IOS to do that. 3) This works... To other Cisco routers and only if you do not need 1) and 2). If you try to combine these functions, you get into configuration nightmares. On the other hand, the Checkpoint systems can do all three functions. Dan -Original Message- From: vishwas asemend [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 5:56 AM To: [EMAIL PROTECTED] Subject: Comparison between checkpoint and Cisco IOS firewall Hi all, I want to choose a firewall. and finally i came to two firewall , checkpoint and cisco-ios can anybody tell me the advantages and disadvantages of cisco_ios and checpoint NG or 4.1 Regards Vish Get your free email from http://www.netjaal.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Using Cisco IOS firewall feature set
Eric Appelboom wrote: I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. Does anyone used the IOS firewall in production and can give advice? We have had it in production at a handfull of sites for several years. It has been generally problem-free. Are there any peformance comparisons? I'm not sure how to scale this to a 6500, but we ran IOSFW with CBAC on a 2501 connected to a single T1. The router CPU utilization scaled linearly with T1 utilization, so when the circuit hit 100%, so did the router CPU. It ran that way for a year or so before we replaced it with a 3640. I don't think that CBAC itself adds much to the processor load, but because CBAC works by adding an ACL entry for every TCP/UDP session, the ACL can grow to be quite long. We had a site decide to teach their students how to port scan. Each student lit off their own nmap session pointed it at a remote site. That created enough ACL entries to overload a 2600. -- Mike - Michael Janke Minnesota State Colleges and Universities From real Server 7.0 startup-- Starting RealServer 7.0 Core... Loading RealServer License Files... Detecting Number of CPUs... Testing 1 CPU(s): 1 CPU Detected, Phew... - ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Using Cisco IOS firewall feature set
On Thu, 17 Jan 2002, Michael Janke wrote: [SNIP] I don't think that CBAC itself adds much to the processor load, but because CBAC works by adding an ACL entry for every TCP/UDP session, the ACL can grow to be quite long. We had a site decide to teach their students how to port scan. Each student lit off their own nmap session pointed it at a remote site. That created enough ACL entries to overload a 2600. In past discussions on this, it has been strongly suggested that CBAC is costly, on mem and CPU,m and that reflexsive ACL's might be a better choice of options. Chris Breton and Ben Nagy might beable to add to this... Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Using Cisco IOS firewall feature set
The 65xx series Cat is well capable of handling IOS Firewall, even on a single Sup configuration, which obviously, is your config, as you are using MLS which requires the MSFC in the slot where a second Sup could otherwise go. CBAC will cut down on performance, not significantly at CPU levels below 60 o/o, but can cause sluggishness above that. One thing more, keep the management functions of your network out of band, both for security and accessibility reasons. Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Appelboom Sent: Wednesday, January 16, 2002 2:15 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Using Cisco IOS firewall feature set I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. I would like to implement this on 6500 switches also using layer 3 switching so inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? Regards Eric *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those of the employer or any of its affiliates. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Using Cisco IOS firewall feature set
dont skip over thingz!!! make sure folks understand that they cant do this using CATos and that they gotta pay more for the x-bar setup and that they really need the 256 MB CARD what lunacy the layer 3 router on the 65xx ...SWITCH... has enough to DO just routing - sandwich the firewall with 6509'S with the xbar and dual nic the firewall and you'll be fine... piranha... From: Glenn Shiffer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Using Cisco IOS firewall feature set Date: Thu, 17 Jan 2002 21:10:31 -0500 The 65xx series Cat is well capable of handling IOS Firewall, even on a single Sup configuration, which obviously, is your config, as you are using MLS which requires the MSFC in the slot where a second Sup could otherwise go. CBAC will cut down on performance, not significantly at CPU levels below 60 o/o, but can cause sluggishness above that. One thing more, keep the management functions of your network out of band, both for security and accessibility reasons. Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Appelboom Sent: Wednesday, January 16, 2002 2:15 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Using Cisco IOS firewall feature set I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. I would like to implement this on 6500 switches also using layer 3 switching so inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? Regards Eric *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those of the employer or any of its affiliates. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Using Cisco IOS firewall feature set
Title: Message I amlooking at complimenting ourFW-1's withswitches installed with theCisco IOS firewall feature set. Iwould like to implement this on 6500 switches also using layer 3 switchingso inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? Regards Eric *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those ofthe employeror any of its affiliates.
Re: Cisco IOS firewall
At first glance I was about to dump this as being an OT mail (Exchange server) issue however, I seem to recall a similar problem some time ago. I think the reason why your internal email is getting bounced is because when IDENT/auth lookups (port 113 udp/tcp authentication) are enabled, your firewall is probably denying the IDENT lookups to your internal hosts. Check for the rejected port 113 traffic to your internal hosts in your syslog, this should clear things up.. Cheers.. Marc Prathabacimman.M [EMAIL PROTECTED] 01/07 9:56 PM Thanks to Henry Sieff Adding more to the above problem yesterday we solved the problem but temporarily. As we remove ip inspect name 'name' smtp things have started moving smoothly. But our situation forces us to implement smtp monitoring. How to go about it.. Prathabacimman.M (call me prathab) Hi, I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the server is vulnerable to open relay. There's certainly a problem with the router/image/CBAC/ACL but we cannot identify where it lies. Can any one help me in troubleshooting. Prathabacimman.M ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Cisco IOS firewall
I would use an IDS like SNORT (www.snort.org) to watch the traffic on the mail server; you can monitor all SMTP or POP3 pretty easily. Takes some setting up to do, but you can use it to block. One of the problems with CBAC is that its inspection of protocols is pretty rudimentary; you should be allowed to set options on the more common applications like SMTP, but I guess they gotta sell the PIX :). If you need content scrubbing, though, you may need something more versatile then the IOS Firewall Feature Set. Turnkey proxy servers or opensource solutions are available. Henry -Original Message- From: Prathabacimman.M [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 11:57 PM To: '[EMAIL PROTECTED]' Subject: Cisco IOS firewall Thanks to Henry Sieff Adding more to the above problem yesterday we solved the problem but temporarily. As we remove ip inspect name 'name' smtp things have started moving smoothly. But our situation forces us to implement smtp monitoring. How to go about it.. Prathabacimman.M (call me prathab) Hi, I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the server is vulnerable to open relay. There's certainly a problem with the router/image/CBAC/ACL but we cannot identify where it lies. Can any one help me in troubleshooting. Prathabacimman.M ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Cisco IOS firewall
On Tue, 8 Jan 2002, Network Operations wrote: At first glance I was about to dump this as being an OT mail (Exchange server) issue however, I seem to recall a similar problem some time ago. Im still not convinced it is not your original interpretation, though it has been a long long time since I played with exchange and I could well be wrong. Yet, if I read properly, their exchange servers is semi exposed on the DMZ, and thus has a different subnet address. This might be a congif issue on exchange that could be fixed there in it's config, or an addition might well function for them, still requiring some congiguration with the exchange on the DMZ. They way I might go about this would be to add an inside relay server, such that the DMZ box frwards all mails to the inside SMTP machine only and the inside machine is only able to talk to the outside DMZ box, internal users can all talk to the inside server. I think the reason why your internal email is getting bounced is because when IDENT/auth lookups (port 113 udp/tcp authentication) are enabled, your firewall is probably denying the IDENT lookups to your internal hosts. Check for the rejected port 113 traffic to your internal hosts in your syslog, this should clear things up.. This might work different for exchange systems, but, if I recall, for sendmail and other unix like SMTP implimentations it only results in extremely slow traffic as the SMTP gateway hangs for periods. Does a sendmail or other implimentation actually start rejecting traffic in such a auth-ess environment? Thanks, Ron DuFresne Cheers.. Marc Prathabacimman.M [EMAIL PROTECTED] 01/07 9:56 PM Thanks to Henry Sieff Adding more to the above problem yesterday we solved the problem but temporarily. As we remove ip inspect name 'name' smtp things have started moving smoothly. But our situation forces us to implement smtp monitoring. How to go about it.. Prathabacimman.M (call me prathab) Hi, I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the server is vulnerable to open relay. There's certainly a problem with the router/image/CBAC/ACL but we cannot identify where it lies. Can any one help me in troubleshooting. Prathabacimman.M ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Cisco IOS firewall
(I live!) -Original Message- From: [EMAIL PROTECTED] [...] On Tue, 8 Jan 2002, Network Operations wrote: At first glance I was about to dump this as being an OT mail (Exchange server) issue however, I seem to recall a similar problem some time ago. Im still not convinced it is not your original interpretation, though it has been a long long time since I played with exchange and I could well be wrong.[...] I'm betting heavily on the server misconfiguration explanation. Note that the poster says the problem occurs when they turn on authentication. Since there is no authentication mechanism for basic SMTP (check RFC 821 or, more recently 2821) any authentication MUST occur as an extension - i.e. through ESMTP. (For the curious, there's a link from the postfix team that I found useful, which also references some SMTP Auth RFCs. [1]) The PIX, for example, doesn't support ESMTP at all. Not even a little bit. I wouldn't surprise me if CBAC doesn't either. That doesn't really make it a firewall issue, though, since any mail server that _requires_ ESMTP for inbound mail from the general Internet is broken, IMHO. I think the reason why your internal email is getting bounced is because when IDENT/auth lookups (port 113 udp/tcp authentication) are enabled, your firewall is probably denying the IDENT lookups to your internal hosts. [...] (nitpick) Those ident requests only go from server to server, and it's tcp 113, not udp. The problem you're referring to is common, and extremely hard to pin down the first time it's encountered. It normally occurs on outbound mail, though, unless one is running a mailserver which uses the ident mechanism (and has it enabled) - Exchange is not one of those. This might work different for exchange systems, but, if I recall, for sendmail and other unix like SMTP implimentations it only results in extremely slow traffic as the SMTP gateway hangs for periods. Does a sendmail or other implimentation actually start rejecting traffic in such a auth-ess environment? What can happen is that the ident request takes a while to time out, and the sending server decides that the connection has gone and gives up. This can also manifest as a nasty race condition where things _sometimes_ work - slowly, and then die completely during slow periods. I have never seen anywhere that requires a successful ident lookup before it will accept mail, although I'm sure it's an option. Ron DuFresne Prathabacimman.M [EMAIL PROTECTED] 01/07 9:56 PM Thanks to Henry Sieff Adding more to the above problem yesterday we solved the problem but temporarily. As we remove ip inspect name 'name' smtp things have started moving smoothly. But our situation forces us to implement smtp monitoring. How to go about it.. CBAC doesn't do any SMTP monitoring - it just makes sure all the commands are correct and tries to stop some obvious attacks. It sounds like you actually need a tool to do antivirus / content inspection of mail traffic, which is a different problem. My advice: Leave the external authentication turned OFF. You can solve the relay problem without turning it on - read the documentation for Exchange on microsoft.com, or try KB article Q193922[2] Leave CBAC on. It's vaguely useful, provided one doesn't expect too much of it. Get a box that sits in front of your Exchange server (logically) and relays all mail. Make this box do AV and content filtering (there are free and payware tools to do this). (Personally, I think content filtering is crazy and impossible to do properly. This hasn't stopped me from agreeing to implement it in several sites, due to annoying legal / statutory climates.) Prathabacimman.M (call me prathab) [...] Good luck. [1] http://www.thecabal.org/~devin/postfix/smtp-auth.txt [2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q193922 -- Ben Nagy Unemployed Network Security Specialist (Needs a job in Geneva ;) Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Cisco IOS firewall
Ben Nagy wrote: [..] The PIX, for example, doesn't support ESMTP at all. Not even a little bit. I wouldn't surprise me if CBAC doesn't either. That doesn't really make it a firewall issue, though, since any mail server that _requires_ ESMTP for inbound mail from the general Internet is broken, IMHO. CBAC will not allow ESMTP either, AFAIK. If logging is enabled, it will log ESMTP attempts. We front-end our GroupWise Exchange with Solaris running TrendMicros's AV product. The problem you're referring to is common, and extremely hard to pin down the first time it's encountered. It normally occurs on outbound mail, though, unless one is running a mailserver which uses the ident mechanism (and has it enabled) - Exchange is not one of those. [..] Again, logging on the PIX will show the ident attempts, if there are any. We've started openeing up ident on every IP that has SMTP open, just because of the mail servers that still use ident. [..] - Michael Janke Minnesota State Colleges and Universities - ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Cisco IOS firewall
I admit I missed any mention of users having to authenticate to the exchange server and it's tie to ESMTP, my error. It's a shame the pix is not as compatable a solutions for many environments, and not long ago, in a thread relating to this issue here, we advocated that Cisco should put up front in their marketing blurbs that the pix is not ESMTP compliante, so that folks can make choices upfront by this criteria, or know in advance that they will have to make special efforts to shim it into their environments. Thanks, Ron DuFresne On Tue, 8 Jan 2002, Michael Janke wrote: Ben Nagy wrote: [..] The PIX, for example, doesn't support ESMTP at all. Not even a little bit. I wouldn't surprise me if CBAC doesn't either. That doesn't really make it a firewall issue, though, since any mail server that _requires_ ESMTP for inbound mail from the general Internet is broken, IMHO. CBAC will not allow ESMTP either, AFAIK. If logging is enabled, it will log ESMTP attempts. We front-end our GroupWise Exchange with Solaris running TrendMicros's AV product. The problem you're referring to is common, and extremely hard to pin down the first time it's encountered. It normally occurs on outbound mail, though, unless one is running a mailserver which uses the ident mechanism (and has it enabled) - Exchange is not one of those. [..] Again, logging on the PIX will show the ident attempts, if there are any. We've started openeing up ident on every IP that has SMTP open, just because of the mail servers that still use ident. [..] - Michael Janke Minnesota State Colleges and Universities - ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Subject: Re: Cisco IOS firewall
Thanks to Marc and Ron. My understanding is a packet which reaches the IOS intially passes thru the ACL and then thru the CBAC. As disabling the ip inpect makes the AUTH work, it can't be the problem with the port 113. I will shed more light on this. The CBAC is enabled on f0/0,f0/1 and s0/0. Disabling SMTP inspection on all the ports allowed our Interport AUTH work. Supposing that our Exchange server is on f0/0, disabling SMTP inspection on both f0/0, f0/1 allowed the AUTH traffic to pass on. Moreover ACL was only enabled on s0/0. I think now you have a clear picture. Marc At first glance I was about to dump this as being an OT mail (Exchange = server) issue however, I seem to recall a similar problem some time ago. I think the reason why your internal email is getting bounced is because = when IDENT/auth lookups (port 113 udp/tcp authentication) are enabled, = your firewall is probably denying the IDENT lookups to your internal = hosts. Check for the rejected port 113 traffic to your internal hosts in your = syslog, this should clear things up.. Cheers.. Marc Prathabacimman.M [EMAIL PROTECTED] 01/07 9:56 PM Thanks to Henry Sieff Adding more to the above problem yesterday we solved the problem but=20 temporarily. As we remove ip inspect name 'name' smtp things have = started moving smoothly. But our situation forces us to implement smtp monitoring. How to go about it.. Prathabacimman.M (call me prathab) Hi,=20 I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the = server is vulnerable to open relay. There's certainly a problem with the=20 router/image/CBAC/ACL but we cannot identify where it lies. Can any one = help me in troubleshooting.=20 Prathabacimman.M=20 ___ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Cisco IOS Firewall
That's strange. My first guess would be the CBAC. I would enable the logging facility: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc r/fsecur_c/ftrafwl/scfcbac.htm#64990 (wrapped) provides info. That will give you an idea of whether CBAC is blocking something. Henry -Original Message- From: Prathabacimman.M [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 12:40 AM To: '[EMAIL PROTECTED]' Subject: Cisco IOS Firewall Hi, I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the server is vulnerable to open relay. There's certainly a problem with the router/image/CBAC/ACL but we cannot identify where it lies. Can any one help me in troubleshooting. Prathabacimman.M ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Cisco IOS firewall
Thanks to Henry Sieff Adding more to the above problem yesterday we solved the problem but temporarily. As we remove ip inspect name 'name' smtp things have started moving smoothly. But our situation forces us to implement smtp monitoring. How to go about it.. Prathabacimman.M (call me prathab) Hi, I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the server is vulnerable to open relay. There's certainly a problem with the router/image/CBAC/ACL but we cannot identify where it lies. Can any one help me in troubleshooting. Prathabacimman.M ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Cisco IOS Firewall
Hi, I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco 2621 Router. Our mail server recides on the DMZ and We have got CBAC and Access lists enabled on the Router. There's no problem with the traffic except SMTP. When the authentication is enabled for SMTP relay on our Exchange Server, the internet clients are unable to send mails thru the server. The mails get bounced. When the authentication is removed the server is vulnerable to open relay. There's certainly a problem with the router/image/CBAC/ACL but we cannot identify where it lies. Can any one help me in troubleshooting. Prathabacimman.M ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Cisco IOS Firewall feature set and the 1605?
The Basi IOS fully supports the features you need -Original Message- From: Michael Dillon [mailto:[EMAIL PROTECTED]] Sent: Monday, December 11, 2000 12:14 AM To: '[EMAIL PROTECTED]' Subject: Cisco IOS Firewall feature set and the 1605? We just purchased a 1605 Cisco router. As near as I can tell, the firewall feature set is optional (and wasn't included as part of the basic system). I'd like to have it, but I'm not sure I absolutely need it since my requirements are simple. Our private network uses class C network addresses (so NAT is enabled on the router). I mainly want to do IP forwarding to certain machines on the private network (such as designating which machines receive SMTP or HTTP port traffic). I also need to forward certain IP protocols (such as GRE). The second WAN port on the 1605 will be used for a DMZ network. Does the 1605 support port and IP protocol forwarding as it was shipped? Or do I need the firewall software option? Thanks in advance, Mike - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Cisco IOS Firewall feature set and the 1605?
You'll be able to do everything you've talked about with the base IP feature set, as long as it's version 12.x. The merits of the firewall feature set versus the ACL stuff you can do in IP only is another topic - should be covered in the archives. Cheers, -- Ben Nagy Marconi Services Network Integration Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 -Original Message- From: Michael Dillon [mailto:[EMAIL PROTECTED]] Sent: Monday, 11 December 2000 3:44 To: '[EMAIL PROTECTED]' Subject: Cisco IOS Firewall feature set and the 1605? We just purchased a 1605 Cisco router. As near as I can tell, the firewall feature set is optional (and wasn't included as part of the basic system). I'd like to have it, but I'm not sure I absolutely need it since my requirements are simple. Our private network uses class C network addresses (so NAT is enabled on the router). I mainly want to do IP forwarding to certain machines on the private network (such as designating which machines receive SMTP or HTTP port traffic). I also need to forward certain IP protocols (such as GRE). The second WAN port on the 1605 will be used for a DMZ network. Does the 1605 support port and IP protocol forwarding as it was shipped? Or do I need the firewall software option? Thanks in advance, Mike - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
Brian Ford wrote: Martin, snip Does adding FW-1 to a Nokia box overload the box? That's another vendor's software product on a Nokia blade. You rely on those vendors abilities to integrate and perform joint testing. The Nokia Box is only a Firewall! And only does firewall tasks... :-P Huh? Nokia sells that product as a router. IPSO is a router OS. CheckPoint adds firewall capability. The Nokia is becoming more widely used for multiple applications. For example, ISS now has a RealSecure network engine for IPSO. Now, I am not saying that you should run FW-1 and RealSecure on the same Nokia, but it is good to keep in mind that these nice little boxes are definitely not "only firewalls". -Ryan - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
On Wed, 1 Nov 2000, Ryan Reynolds wrote: Brian Ford wrote: Martin, snip Does adding FW-1 to a Nokia box overload the box? That's another vendor's software product on a Nokia blade. You rely on those vendors abilities to integrate and perform joint testing. The Nokia Box is only a Firewall! And only does firewall tasks... :-P Huh? Nokia sells that product as a router. IPSO is a router OS. CheckPoint adds firewall capability. The Nokia is becoming more widely used for multiple applications. For example, ISS now has a RealSecure network engine for IPSO. Now, I am not saying that you should run FW-1 and RealSecure on the same Nokia, but it is good to keep in mind that these nice little boxes are definitely not "only firewalls". an important question that still remains here to be asked concerns the fact that not too many months back, IDS systems were prone to DDOS from extensive probes. Now even if run on it;s own 'blade' or CPU, does this not then affect the other 'blade'/CPU when the systems are stressed heavily? Then again there is another issue with mixed boxen, that is often overlooked in this multi-tasking era: when your vcr/tv/toaster oven has a problem with one of it's functions, and is sent for repairs, it means the other functions are by default also disabled, so, when you router/firewall/IDS system suffers in one of it;'s functions, it oftemn, most often in fact, means all other functions are down until repaired. Not that I back down from my earlier assessment of the cisco IDS product. Thanks, Ron DuFresne ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
Ron DuFresne wrote: an important question that still remains here to be asked concerns the fact that not too many months back, IDS systems were prone to DDOS from extensive probes. Now even if run on it;s own 'blade' or CPU, does this not then affect the other 'blade'/CPU when the systems are stressed heavily? I would imagine so. This is yet another reason to not use IDS machines for anything else. Not to mention that a machine set up with a single stealth interface and a private interface to a management network should not be useful for other applications anyhow. -Ryan - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
FW: CISCO IOS Firewall and IDS
Title: FW: CISCO IOS Firewall and IDS In my experience, most blade based products are hot swappable and the other components will work whether the broken blade is there or not... Again, if the overall configuration is setup right, it could be designed such that another box could take over the functionality of the broken blade. I am not sure whether combining them is a good thing or not, but it seems to me that it would be similar to running an agent on each of your hosts for host-based IDS. Wouldn't you want the box to have a secondary processor that was ONLY doing IDS, even if it was sending updates to another server of some sorts? -Ben On Wed, 1 Nov 2000, Ryan Reynolds wrote: Then again there is another issue with mixed boxen, that is often overlooked in this multi-tasking era: when your vcr/tv/toaster oven has a problem with one of it's functions, and is sent for repairs, it means the other functions are by default also disabled, so, when you router/firewall/IDS system suffers in one of it's functions, it often, most often in fact, means all other functions are down until repaired.
Re: CISCO IOS Firewall and IDS
Brian Ford wrote: Martin, I don't know so much details about how your products are builded and designed, but... Don't you think that using the same box as a Firewall/router/switch and as IDS could overload the device (the box)??? Does adding FW-1 to a Nokia box overload the box? That's another vendor's software product on a Nokia blade. You rely on those vendors abilities to integrate and perform joint testing. The Nokia Box is only a Firewall! And only does firewall tasks... :-P Where ever possible at Cisco we use either a dedicated processor (sensor) or co-processors (blade). The problem of "overloading" or "ovelapping" functionalities of IDS and Firewall is not only processor use: is the fact you have a single point of failure in your network, so Denial of Service (most useful attack to network devices) can do so much danger with no way to trace the attack when is happening.. In this instance Cisco developed and tests the operating system, the platform and feature (single vendor, minimizing risk). We do have a small background enabling new software features Single vendor doesn't minimize risk. In fact as I see things, Single vendor could increase risk: See PPTP case as an example. Opening a product to public strutiny can be better for security improves... Remember: "If I take letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's no security. That's obscurity. On the other hand, if I take a letterand lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism - and you still can't open the safe and read the letter - that's security" - Applied Criptography - Bruce Schneier - Page XIX in our IOS on our platforms without adversely effecting the performance of the underlying platform (NAT, QOS, etc...). We open the architecture to support standards (i.e. the MIB) and to create an environment where third parties can create focused management and reporting capabilities. Which is good, but keep routers routing, switches switching and so on... As a digest, from Computer Security Journal Number 4, Fall 1998, "Critical Security Flaws in Electronic Commerce Systems", page 11: "Using routers to enforce Security policy". What happens with logs? Who cares about this device? Security People or Network Administrators?? That's not only the technical issues... :-P I see a bit dangerous relying in the same box to do both thing. Is your concern complexity and testing? You need to rely on your vendor's track record for that. Wouldn't it be interesting if more devices in your network had the capability and you (or your agent) could turn the capability on and off as needed? Complexity (not testing) it's only part of my concern. As software grows and more functionality is integrated to the "same" box with no sense of modularity (as I feel in this case, and please correct me if I'm wrong) can increase software error risk... "More easy, more useful" means "more complex" and then "more risky". Again, see Microsoft cases... :-) Thanx for your answer... I feel this discussion is really useful for me... ;-) -- M. Hoz Seguridad en Computo 2000 Mexico - Computer Security 2000 Mexico http://www.seguridad2000.unam.mx - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
Martin, snip Does adding FW-1 to a Nokia box overload the box? That's another vendor's software product on a Nokia blade. You rely on those vendors abilities to integrate and perform joint testing. The Nokia Box is only a Firewall! And only does firewall tasks... :-P Huh? Nokia sells that product as a router. IPSO is a router OS. CheckPoint adds firewall capability. Where ever possible at Cisco we use either a dedicated processor (sensor) or co-processors (blade). The problem of "overloading" or "ovelapping" functionalities of IDS and Firewall is not only processor use: is the fact you have a single point of failure in your network, so Denial of Service (most useful attack to network devices) can do so much danger with no way to trace the attack when is happening.. Single point of failure can be addressed via redundancy and resiliency features such as HSRP , VRRP, and stateful failover. Single point of failure is less a product feature problem and more often a sign of a bad design. In this instance Cisco developed and tests the operating system, the platform and feature (single vendor, minimizing risk). We do have a small background enabling new software features Single vendor doesn't minimize risk. In fact as I see things, Single vendor could increase risk: See PPTP case as an example. Opening a product to public strutiny can be better for security improves... Remember: "If I take letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's no security. That's obscurity. On the other hand, if I take a letterand lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism - and you still can't open the safe and read the letter - that's security" - Applied Criptography - Bruce Schneier - Page XIX In a perfect world, where customers had the technical means (in the form of equipment and trained people) I would agree with you (and Schneier). But in the world we live and work in today the majority of the people want a vendor that will do their very best to design, produce, and support product. in our IOS on our platforms without adversely effecting the performance of the underlying platform (NAT, QOS, etc...). We open the architecture to support standards (i.e. the MIB) and to create an environment where third parties can create focused management and reporting capabilities. Which is good, but keep routers routing, switches switching and so on... As a digest, from Computer Security Journal Number 4, Fall 1998, "Critical Security Flaws in Electronic Commerce Systems", page 11: "Using routers to enforce Security policy". What happens with logs? Who cares about this device? Security People or Network Administrators?? That's not only the technical issues... :-P What happens to logs?; and Who cares for (manages) the device? are not technical issues. They are people and control issues that should be dealt with in a proper security policy document. It's all about choice. If you don't want IDS in your router or switch, you can order it that way. I see a bit dangerous relying in the same box to do both thing. "relying" yes. Incorporating the capability into your network design, no. Is your concern complexity and testing? You need to rely on your vendor's track record for that. Wouldn't it be interesting if more devices in your network had the capability and you (or your agent) could turn the capability on and off as needed? Complexity (not testing) it's only part of my concern. As software grows and more functionality is integrated to the "same" box with no sense of modularity (as I feel in this case, and please correct me if I'm wrong) can increase software error risk... Putting more functionality into a box is an industry trend. It has been for years. Look at anybodies switch. What layer does it work at? Again, the majority of customers are voting for this with their product choices. "More easy, more useful" means "more complex" and then "more risky". Again, see Microsoft cases... :-) Thanx for your answer... I feel this discussion is really useful for me... ;-) Well said! Regards, Brian snip Brian Ford [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
CISCO IOS Firewall and IDS
I am currently reviewing a Cisco 2610 Router with the Firewall and IDS feature set. Can anyone on the list give me some insight or opinions on this product. We will be using it as a perimeter router in front of a Cisco PIX. Thanks, Rob - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
The little I have seen of the cisco IDS systems I do not like. Unless I'm totally wrong you are stuck with their MIBS for the IDS dections, no scriiptiing being allowed to tune the device, so, pretty much everything becomes a false positive, then again we do not place these systems in a place that might give something of useful information from them either. Thanks, Ron DuFresne On Mon, 30 Oct 2000, Rob Serfozo wrote: I am currently reviewing a Cisco 2610 Router with the Firewall and IDS feature set. Can anyone on the list give me some insight or opinions on this product. We will be using it as a perimeter router in front of a Cisco PIX. Thanks, Rob - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
Ron, Regarding the MIBs, yeah we suggest folks use ours. If we waited for someone else to get them done this product wouldn't have been shipping for the past 2 years. While the NR Director doesn't support "Scripting" per se it does allow the admin to tune the systems so as to isolate false positives. And we recently announced several additional vendors supporting the Director's log and reporting functions, so if you don't like our stuff you can use someone elses software console. The technically interesting part is the inclusion of IDS sensor technology in a Catalyst blade, several IOS trains and soon PIX firewall builds. So now you can have a dedicated sensor, sensor in a router, sensor in a switch, or sensor in a firewall. Gee whiz, you can have a sensor just about anywhere you need it! With third party software integration we hope to soon be able to bridge our network data with host based solutions. Regards, Brian Date: Mon, 30 Oct 2000 13:58:26 -0600 (CST) From: Ron DuFresne [EMAIL PROTECTED] Subject: Re: CISCO IOS Firewall and IDS The little I have seen of the cisco IDS systems I do not like. Unless I'm totally wrong you are stuck with their MIBS for the IDS dections, no scriiptiing being allowed to tune the device, so, pretty much everything becomes a false positive, then again we do not place these systems in a place that might give something of useful information from them either. Thanks, Ron DuFresne Brian Ford [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: CISCO IOS Firewall and IDS
Brian Ford wrote: The technically interesting part is the inclusion of IDS sensor technology in a Catalyst blade, several IOS trains and soon PIX firewall builds. So now you can have a dedicated sensor, sensor in a router, sensor in a switch, or sensor in a firewall. Gee whiz, you can have a sensor just about anywhere you need it! I don't know so much details about how your products are builded and designed, but... Don't you think that using the same box as a Firewall/router/switch and as IDS could overload the device (the box)??? As far as I know (from texts like "Intrusion Detection" -Amoroso, and "Building Internet Firewalls" -Chapman/Zwicky ) both elements complement each other, but I see a bit dangerous relying in the same box to do both thing. Processor speeds, software complexity and single-points-of-failure are some considerations that comes to my mind... :-) Just an opinion... :-) Best regards... -- Martin Humberto Hoz Salvador Information Security Consultant (ISS ICU, Check Point CCSE) C I T I Sendero Sur 285 Col. Contry, Monterrey, Nuevo Leon 64860, MEXICO Phone: +(52)(8) 357-2267 x135 Fax: +(52)(8) 357-8047 E-mail: [EMAIL PROTECTED]WWW: http://www.citi.com.mx PGPKey ID: 0x0454E8D9 ICQ Number: 31631540 Seguridad en Computo 2000 Mexico - Computer Security 2000 Mexico http://www.seguridad2000.unam.mx - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Cisco IOS Firewall
At 14:58 28/08/00 -0400, J Weismann wrote: Here's what you should do: Pray to the everliving god that you don't get some ActiveX virus or attack. Buy a comercial grade firewall ie Raptor/Checkpoint/etc. or create one Linux style... don't go unprotected ;) how do you block ActiveX using "linux style" ? also, nothing states that content filtering must be done on the firewall. he can use websweeper or the like. regards, mouss - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Cisco IOS Firewall
I'm a (lurking) member of the firewall list and saw your comments on Linux; I am using this as a router/firewall via the Linux router project (LRP) - how secure do you think this is in the grand scheme of things? Assuming IPchains is configured correctly and no services are running, of course. Cheers John - Original Message - From: Ben Nagy [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: 29 August 2000 01:09 Subject: RE: Cisco IOS Firewall Ah, Linux. The "friendly" OS. Why keep all the root fun to yourself when you could share it with the world? Unless you know all about them and are prepared to spend a day paring them down to nothing I'd use OpenBSD instead. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Cisco IOS Firewall
The 'T' train doesn't include CBAC, unless something really drastic has changed. You need to actually purchase the IOS/Firewall feature set, or one of the encryption images that supports FW. You can get plain ol' IP in the 'T' train for nothing - it would be great if it did have CBAC. *sigh* I stand corrected; I mistakenly assumed that it was part of the 12.0.7(T) IOS update I flashed... I would imagine that you'll get this answer: Don't inspect smtp. Just inspect TCP and allow port 25 traffic in your access-lists. What do you lose? Control-channel inspection for incoming email? Feh. Email problems are all virii and worms these days and CBAC won't do a thing about _them_. My personal opinion on that, BTW, is that anything that aborts when it can't use ESMTP is _really_ busted. Are you _sure_ it's not a DNS matching or ident bug in disguise? I don't think so; everything worked fine until I enabled CBAC-SMTP after which the router started rejecting connections from my upstream MX hosts as well as my personal ISP (along with many others), all of whom run ESMTP sendmail under Solaris/SunOS. To quote a reply: "There is an enhancement bug opened to ask for the CBAC to handle esmtp." (FWIW: I *do* run separate inbound and outbound instances of sendmail) - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Cisco IOS Firewall
-Original Message- From: John P [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 29 August 2000 9:15 PM To: Ben Nagy; [EMAIL PROTECTED] Subject: Re: Cisco IOS Firewall I'm a (lurking) member of the firewall list and saw your comments on Linux; I am using this as a router/firewall via the Linux router project (LRP) - how secure do you think this is in the grand scheme of things? Assuming IPchains is configured correctly and no services are running, of course. That's the big assumption, isn't it... My main reason for such half-accurate and inflammatory comments was to combat the epidemic of Linux fever for boxes that are security principals. It seems like people forget, or don't know, that Linux provides a pretty swiss-cheesy out-of-box experience. There's nothing wrong with the basic current Linux IP stack (that I've heard of) and especially with add-ons like RSBAC [1] you can make it secure. So don't panic. If you're running a pared-down Linux box you're not doomed. I just personally think that an OS that has had proactive security-based code review is odds-on to be more secure than an OS that is fragmented and in a major growth phase. I also like ipfilter better than ipchains - mainly because it's stateful and easier to manage (IMO - YMMV). Cheers John Cheers, [1] www.rsbac.org - _Real_ security for Linux boxen. -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Cisco IOS Firewall
Title: RE: MS Exchange 5.5 server Dear list, I have recently been offered by our administration to have the Cisco IOS firewall installed on a router to the internet as our firewall instead of using a product like Firewall-1, FreeBSD, MS ISA Firewall or some Linux based option. From what I can gather, this is not the PIX installed on a router but a firewall implementation (session and application proxy) of the Cisco IOS. Has anyone used this product? Does it meet the standards of a secure firewall product? Do you know of any issues with this product I should take into consideration before accepting the proposal? Thanks for any assistance. Lindsay Mieth
Re: Cisco IOS Firewall
Here's what you should do: Pray to the everliving god that you don't get some ActiveX virus or attack. Buy a comercial grade firewall ie Raptor/Checkpoint/etc. or create one Linux style... don't go unprotected ;) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Cisco IOS Firewall Date: Mon, 28 Aug 2000 09:27:54 -0600 Dear list, I have recently been offered by our administration to have the Cisco IOS firewall installed on a router to the internet as our firewall instead of using a product like Firewall-1, FreeBSD, MS ISA Firewall or some Linux based option. From what I can gather, this is not the PIX installed on a router but a firewall implementation (session and application proxy) of the Cisco IOS. Has anyone used this product? Does it meet the standards of a secure firewall product? Do you know of any issues with this product I should take into consideration before accepting the proposal? Thanks for any assistance. Lindsay Mieth _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Cisco IOS Firewall
RE: MS Exchange 5.5 serverWhat you are talking about is the "T"-suffixed version of IOS which includes CBAC (Context-Based Access Control). It has improvements on regular access-based lists, but it is not a firewall in the sense of FW-1. Since we have it on our router, I use CBAC (together with reflexive access lists) as a first line of defense. I already have an issue open with Cisco though because CBAC-SMTP does not support ESMTP (causing many Solaris sendmail systems to fail to deliver inbound messages). - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 28, 2000 10:27 AM Subject: Cisco IOS Firewall Dear list, I have recently been offered by our administration to have the Cisco IOS firewall installed on a router to the internet as our firewall instead of using a product like Firewall-1, FreeBSD, MS ISA Firewall or some Linux based option. From what I can gather, this is not the PIX installed on a router but a firewall implementation (session and application proxy) of the Cisco IOS. Has anyone used this product? Does it meet the standards of a secure firewall product? Do you know of any issues with this product I should take into consideration before accepting the proposal? Thanks for any assistance. Lindsay Mieth - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Cisco IOS Firewall
You're right - the IOS Firewall product doesn't bear any particular relationship to the PIX. The IOS firewall product is okay. I don't have that much faith in the control channel inspection stuff for FTP, SMTP, HTTP etc, but it's not _worse_ than having nothing. The TCP inspection and fragmentation blocking is nice and some of the anti-DOS features are good. The logging / audit stuff is better than the standard IOS but still based on syslog and still not amazing. It's more secure than properly configured ACLs, but not by a great deal (and mainly in the fragmentation / TCP sanity checking department). On the plus side, it's cheap and probably close to as good as you're going to get for a bulk-issue stateful packet filter. Here's some flamebait: I wouldn't use FW-1 for _free_. Ah, Linux. The "friendly" OS. Why keep all the root fun to yourself when you could share it with the world? Unless you know all about them and are prepared to spend a day paring them down to nothing I'd use OpenBSD instead. IPFilter seems to be pretty tight and it's certainly a bunch easier to work with than Ipchains. Sadly I haven't played with IPTables yet. MS ISA Firewall? Uh...yeah. Whatever. I have no philosophical objection to running a firewall on NT4 but Win2K is too new for me. Let alone running a firewall that's _written_ by M$ - gives me the shivers. NT4 needs about as much work as Linux to get it "secure" from a remote perspective. Of course for real security you need to think about multiple layers with as many external services running through some sort of application level gateway as possible (whether boxes in the DMZ to do mail relay, reverse web proxy, DNS cache or whether a commercial ALG style firewall). IOS/FW is "good enough" if you're a small organisation with no amazingly valuable secrets to protect. It'll get most of the casual attackers off your back. If someone's really out to get you then it's not going to be your firewall that gets breached. Go on. Flame away. ;) Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 29 August 2000 12:58 AM To: [EMAIL PROTECTED] Subject: Cisco IOS Firewall Dear list, I have recently been offered by our administration to have the Cisco IOS firewall installed on a router to the internet as our firewall instead of using a product like Firewall-1, FreeBSD, MS ISA Firewall or some Linux based option. From what I can gather, this is not the PIX installed on a router but a firewall implementation (session and application proxy) of the Cisco IOS. Has anyone used this product? Does it meet the standards of a secure firewall product? Do you know of any issues with this product I should take into consideration before accepting the proposal? Thanks for any assistance. Lindsay Mieth - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Cisco IOS Firewall
-Original Message- From: Gary Maltzen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 29 August 2000 9:15 AM To: [EMAIL PROTECTED] Cc: Firewalls List Subject: Re: Cisco IOS Firewall What you are talking about is the "T"-suffixed version of IOS which includes CBAC (Context-Based Access Control). The 'T' train doesn't include CBAC, unless something really drastic has changed. You need to actually purchase the IOS/Firewall feature set, or one of the encryption images that supports FW. You can get plain ol' IP in the 'T' train for nothing - it would be great if it did have CBAC. *sigh* It has improvements on regular access-based lists, but it is not a firewall in the sense of FW-1. What, you mean it actually keeps some traffic out? ;) Since we have it on our router, I use CBAC (together with reflexive access lists) as a first line of defense. I already have an issue open with Cisco though because CBAC-SMTP does not support ESMTP (causing many Solaris sendmail systems to fail to deliver inbound messages). I would imagine that you'll get this answer: Don't inspect smtp. Just inspect TCP and allow port 25 traffic in your access-lists. What do you lose? Control-channel inspection for incoming email? Feh. Email problems are all virii and worms these days and CBAC won't do a thing about _them_. My personal opinion on that, BTW, is that anything that aborts when it can't use ESMTP is _really_ busted. Are you _sure_ it's not a DNS matching or ident bug in disguise? Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Cisco IOS Firewall
Date: Fri, 23 Apr 1999 10:46:09 +0530 From: pdmallya [EMAIL PROTECTED] Subject: RE: Cisco IOS Hi, Cisco has software which runs on its routers which they call the Firewalling Feature Set. Has anyone on this list had any experience using it, or evaluated it? Regards Prabhakar D. Mallya You're referring to the Cisco IOS Firewall Feature set, which provides a stateful inspection Packet filter for about a dozen protocols, some good and some not so... Is just an additional feature set to allow CBAC (Context based Access Control - this is Stateful Inspection for us non-marketing types) on lower level Ciscos ( I think 1600s and 2500s for now, may be moving up to larger platforms). All the normal stuff is still allowed, so the "Firewall" router can also do NAT, normal ACLs, Cisco Lock-and-Key (strong password authentication like SecurID), etc. I've used it at a client site to secure 3rd party business partner links, typically where there is a contractual agreement in place as well. An excerpt from a doc at http://www.cisco.com/warp/public/732/net_foundation/firew_wp.htm giving some overview If a protocol is configured for CBAC, its traffic is inspected, state information maintained, and, in general, return packets are permitted through the firewall if they belong to a valid existing session. See a complete list of CBAC-supported protocols in Appendix A. Following is a partial list of common applications and protocols: * FTP * SMTP * H.323 (such as NetMeeting or ProShare) * Java * Trivial File Transfer Protocol (TFTP) * UNIX r-commands (such as remote login [r-login], remote exec [r-exec], and remote shell protocol [r-sh]) * RealAudio * Sun RPC (not DCE RPC; not Microsoft RPC) * The WhitePine version of CU-SeeMe * SQL*Net * StreamWorks * VDOLive - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]