Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic))
This thread was a web management system for the NetGAP firewall appliance the NetGAP again. back to the point. i'm not sure if you ever worked with SPHD products. or with Adminiweb at all. but all i said was: Adminiweb is a perfect tool to manage the NetGAP Appliance (if you can call it a firewall) i wanted to hear is your opinions, all i've heard since was: my CheckPoint is bigger. i'm not talking about enterprise class firewalls here. i'm talking about Adminiweb NetGAP. that's it. again... i'm not sure if you even worked with NetGAP. and belive me.. administrating Golden-Channels network. 470,000 Customers. demands a lot. i won't copy the ifconfig file of our NG powered by StoneBeat Full Cluster, because it'll embarcing for you to brag about 6 interfaces. when and if you'll work with Adminiweb NetGAP.. come back with an answer. (Troll? another slashdot geek. ohh god. maybe you wanna r00t my b0x) -Shay Hugi -Mpthrill.com - Original Message - From: Mikael Olsson [EMAIL PROTECTED] To: Shay Hugi [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, June 06, 2002 12:22 AM Subject: Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic)) Shay Hugi wrote: who would be able to sniff my *LOCAL* network? if the web management is in the same network connected to same switch?. Anyone that mails a copy of back orifice, renamed to hotpr0n.exe, to a user with too much time on his hands. ever heard about Webmin? i'm sure you've heard about this product. in case you haven't.. they stopped working with SSL because they saw there's no need for SSL if your'e managing a network device on your local LAN. It is obvious that the networks I admin have quite different security demands compared to the networks that you admin. If you have a security policy that states as soon as someone gets a foothold on our 'internal LAN', we might aswell give away everything, I suppose those arguments hold true. Most smaller organizations do set up their network that way (although they probably like to think that they have a firewall and antivirus, so nothing can harm them), so in a sense, I suppose it's reasonable. I'm more at home with segmented networks with two or more firewalls and perhaps half a dozen legs on each box. If I'm at the most secure admin LAN behind firewall A, and need to cross another network to admin firewall B, I don't want people on that transit network to use info from my admin channel to take over firewall B, simply on defense in depth principles. Even if you don't have as many segments, you still ought to guard your firewall admin interface as soon as the organization grows beyond something like 20 users. Up to that point, you can (maybe) have some control over what's going on, but once you get beyond that, you get disgruntled employees, power users that want to do a bit of P2P file sharing to get some new music or games... or hotpr0n.exe. If things like that aren't a problem to you, I guess all is fine with using virtually unprotected firewall admin interfaces. If that is indeed Webmin's target segment, I guess all is fine there too. If on the other hand they're targetting bigger organizations with higher demands for security, and blatantly lie to them by saying hey, you don't really need authentication!, someone ought to apply a clue-by-4 to their skulls. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic))
Shay Hugi wrote: i'm not talking about enterprise class firewalls here. i'm talking about Adminiweb NetGAP. that's it. Ah, yes, that's what it started out as. But as usual, the regulars here (myself included) can't keep away from a good argument :) i wanted to hear is your opinions, all i've heard since was: my CheckPoint is bigger. Nah. I don't run Checkpoint boxen :) again... i'm not sure if you even worked with NetGAP. Nope. I refuse to use anything calling itself a gap on principle, when it's really only an application layer gateway. Real air gaps are just that: gaps. Two systems separated by air, possibly with an operator moving data back and forth using floppies/tapes/whatever, and thoroughly inspecting it manually before completing the move. and belive me.. administrating Golden-Channels network. 470,000 Customers. demands a lot. i won't copy the ifconfig file of our NG powered by StoneBeat Full Cluster, because it'll embarcing for you to brag about 6 interfaces. Not really embarassing. Your examples and views seemed to stem from the classic int/ext/dmz world. I just exemplified where my views come from. (Although I agree I may have misinterpreted your arguments completely) when and if you'll work with Adminiweb NetGAP.. come back with an answer. Never let lack of experience with a specific product stand in the way of a good generalized debate :) (Troll? another slashdot geek. ohh god. maybe you wanna r00t my b0x) Troll was popularized on the usenet, long before the mr Berners-Lee et al even thought of putting three Ws together, and certainly before slashdot. r00t your b0x? That would indeed agree very poorly with my principles and what I do for a living. Now, if you were to _pay_ me to make the attempt, it'd be another thing altogether :) Lighten up; I'm only debating, not attacking you personally :) Regards, Mikael Olsson -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Senex semper diu dormit ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic))
Damn you're good! that's something i can't debate about!. Thanks for all the help -Shay Hugi -Mpthrill.com - Original Message - From: Mikael Olsson [EMAIL PROTECTED] To: Shay Hugi [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, June 06, 2002 2:07 PM Subject: Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic)) Shay Hugi wrote: i'm not talking about enterprise class firewalls here. i'm talking about Adminiweb NetGAP. that's it. Ah, yes, that's what it started out as. But as usual, the regulars here (myself included) can't keep away from a good argument :) i wanted to hear is your opinions, all i've heard since was: my CheckPoint is bigger. Nah. I don't run Checkpoint boxen :) again... i'm not sure if you even worked with NetGAP. Nope. I refuse to use anything calling itself a gap on principle, when it's really only an application layer gateway. Real air gaps are just that: gaps. Two systems separated by air, possibly with an operator moving data back and forth using floppies/tapes/whatever, and thoroughly inspecting it manually before completing the move. and belive me.. administrating Golden-Channels network. 470,000 Customers. demands a lot. i won't copy the ifconfig file of our NG powered by StoneBeat Full Cluster, because it'll embarcing for you to brag about 6 interfaces. Not really embarassing. Your examples and views seemed to stem from the classic int/ext/dmz world. I just exemplified where my views come from. (Although I agree I may have misinterpreted your arguments completely) when and if you'll work with Adminiweb NetGAP.. come back with an answer. Never let lack of experience with a specific product stand in the way of a good generalized debate :) (Troll? another slashdot geek. ohh god. maybe you wanna r00t my b0x) Troll was popularized on the usenet, long before the mr Berners-Lee et al even thought of putting three Ws together, and certainly before slashdot. r00t your b0x? That would indeed agree very poorly with my principles and what I do for a living. Now, if you were to _pay_ me to make the attempt, it'd be another thing altogether :) Lighten up; I'm only debating, not attacking you personally :) Regards, Mikael Olsson -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Senex semper diu dormit ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic))
(I'm almost suspecting a troll here, but, bah, I'll feed it) Shay Hugi wrote: [Motorola DDM uses SNMP] Lot's of cable companies who use Motorola CMTS's or RiverDelta's are using the DDM. And i've never heard anyone say'n anything bad about this system. I have quite a bit of experience in poking around with cable modem setups (both prior to the DOCSIS standard and with DOCSIS compliant stuff), and let me tell you this much: security has never been their top priority. I'm tempted to compare it to the 802.11b disaster, only cable modems (usually) aren't used in the same kind of sensitive environments. Usually, with cable modems, the worst that can happen is that someone can get free Internet access on a public network, not highway access to the inner workings of someone's private network, so I guess it's understandable that it isn't getting the same kind of attention. I don't see AT ALL why should a management system using SNMP and a web based (using Java) system should not run on a dedicated authenticated workstation to manage a firewall. If you equate firewall with SOHO ADSL gateway, yeah, I probably wouldn't give a sh*t if it used web management or SNMP, but, really, c'mon, administrating an enterprise class firewall through a web interface to SNMP ought to be a punishable offense. The DDM is truely a powerful product... with no need for any session encryption except MD5 for the login passwords. Oh, I see: it's totally okay for anyone to sniff whatever parts they wish of my firewall configuration, including pre-shared keys to VPNs, passwords for AAA-type setups, and details about the entire ruleset. As long as the admin password is an MD5 hash, everything is just dandy. Pffft. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Senex semper diu dormit ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic))
- Original Message - From: Shay Hugi [EMAIL PROTECTED] To: Mikael Olsson [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 8:14 PM Subject: Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic)) I Don't know if you consider the NetGAP as a SOHO Router/Firewall. but i think SNMP would be perfect on such a box. who would be able to sniff my *LOCAL* network? if the web management is in the same network connected to same switch?. ever heard about Webmin? i'm sure you've heard about this product. in case you haven't.. they stopped working with SSL. because they saw there's no need for SSL. if your'e managing a network device on your local LAN. i'm not saying you're wrong or anything. even the local lan could be FULL of security holes. i'm sorry to disappoint you. but the Adminiweb Management system. does INCLUDE mod_ssl. -Shay Hugi -Mpthrill.com - Original Message - From: Mikael Olsson [EMAIL PROTECTED] To: Shay Hugi [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 10:38 AM Subject: Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic)) (I'm almost suspecting a troll here, but, bah, I'll feed it) Shay Hugi wrote: [Motorola DDM uses SNMP] Lot's of cable companies who use Motorola CMTS's or RiverDelta's are using the DDM. And i've never heard anyone say'n anything bad about this system. I have quite a bit of experience in poking around with cable modem setups (both prior to the DOCSIS standard and with DOCSIS compliant stuff), and let me tell you this much: security has never been their top priority. I'm tempted to compare it to the 802.11b disaster, only cable modems (usually) aren't used in the same kind of sensitive environments. Usually, with cable modems, the worst that can happen is that someone can get free Internet access on a public network, not highway access to the inner workings of someone's private network, so I guess it's understandable that it isn't getting the same kind of attention. I don't see AT ALL why should a management system using SNMP and a web based (using Java) system should not run on a dedicated authenticated workstation to manage a firewall. If you equate firewall with SOHO ADSL gateway, yeah, I probably wouldn't give a sh*t if it used web management or SNMP, but, really, c'mon, administrating an enterprise class firewall through a web interface to SNMP ought to be a punishable offense. The DDM is truely a powerful product... with no need for any session encryption except MD5 for the login passwords. Oh, I see: it's totally okay for anyone to sniff whatever parts they wish of my firewall configuration, including pre-shared keys to VPNs, passwords for AAA-type setups, and details about the entire ruleset. As long as the admin password is an MD5 hash, everything is just dandy. Pffft. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Senex semper diu dormit ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
Re: Firewall managment through SNMP (Was: Re: a web management system for the NetGAP firewall appliance(off-topic))
Shay Hugi wrote: who would be able to sniff my *LOCAL* network? if the web management is in the same network connected to same switch?. Anyone that mails a copy of back orifice, renamed to hotpr0n.exe, to a user with too much time on his hands. ever heard about Webmin? i'm sure you've heard about this product. in case you haven't.. they stopped working with SSL because they saw there's no need for SSL if your'e managing a network device on your local LAN. It is obvious that the networks I admin have quite different security demands compared to the networks that you admin. If you have a security policy that states as soon as someone gets a foothold on our 'internal LAN', we might aswell give away everything, I suppose those arguments hold true. Most smaller organizations do set up their network that way (although they probably like to think that they have a firewall and antivirus, so nothing can harm them), so in a sense, I suppose it's reasonable. I'm more at home with segmented networks with two or more firewalls and perhaps half a dozen legs on each box. If I'm at the most secure admin LAN behind firewall A, and need to cross another network to admin firewall B, I don't want people on that transit network to use info from my admin channel to take over firewall B, simply on defense in depth principles. Even if you don't have as many segments, you still ought to guard your firewall admin interface as soon as the organization grows beyond something like 20 users. Up to that point, you can (maybe) have some control over what's going on, but once you get beyond that, you get disgruntled employees, power users that want to do a bit of P2P file sharing to get some new music or games... or hotpr0n.exe. If things like that aren't a problem to you, I guess all is fine with using virtually unprotected firewall admin interfaces. If that is indeed Webmin's target segment, I guess all is fine there too. If on the other hand they're targetting bigger organizations with higher demands for security, and blatantly lie to them by saying hey, you don't really need authentication!, someone ought to apply a clue-by-4 to their skulls. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
