SSl, and encrypition in general, are only tools to help in providing
adequate security. In itself, encryption provides no security at all.
in the discussed example, the server is public and must thus be
accessible to anyone. This means that it should accept requests
from any client, with or
At 21:51 03/02/01 -0800, Everett F Batey wrote:
In an effort to pick the right way to get there and prefering FreeBSD
hoped to have more than one subnet on the inside nic0 (eth0, ed0, ...)
and hoped to be able to plumb it like nic0:1 like I do on Soularis.
I suppose BSD ifconfig wont let me do
Ben Nagy wrote:
SSL traffic can be sniffed. The sniffer just gets encrypted
traffic. The sniffer can then decide to cryptanalyse or brute-force
the packets (cryptanalysis better because of known/guessable
header contents in starting packets)
plaintext and you can't guess the
#We will have remote users connecting via frame relay to a peering point
outside our #firewall. They want to authenticate onto our domain to use
network resources and MS #Exchange mail. From the start, Netbios would
have to be allowed through the firewall. Is #this an issue since this is
you are mixing up the session key length which is 40 or 128 bits with the
RSA key length which is normally 1024 bits
the only reason anyone still uses a browser with 40 bit encryption is that
they are to lazy to get one with full encryption (or they live in iraq
basicly). due to the export
Most of the MS OS's come with 40-bit browser by default, including W2K. It
isn't as much laziness as you seem to think. The end users knowledge base
has more to do with it IMHO.
We needed to change our 128-bit SSL certificate to allow 40 and 56-bit
clients to access our web site, most of the
Does anyone have any opinions on which of these options is the best for an
appliance based HA firewall solution? Or if there is a better option? The
cluster would include 2 gauntlet 300 series E-pliances. We are looking at a
hardware based solution as neither StoneBeat nor the integrated Legato
I was wondering what other people's experience has been with Rainfinity's
Rainwall product. We chose it at the time because it could handle more then
two interfaces on a firewall. We tried implementing version 1.5 and seem to
be having problems making it work with NAT. They have acknowledged a
Strongly recommend you look into the BIG/IP units from F5. They are
amazingly fast and featureful (far more flexible than anything built on
a switch platform), rock solid, and work particularly well with
Gauntlet/WebShield. We have a few sets deployed in a very large-scale
environment
and of course, the frame relay pipe is bestest if it's encrypted to your
point of termination.
Thanks,
Ron DuFresne
On Mon, 5 Feb 2001 [EMAIL PROTECTED] wrote:
#We will have remote users connecting via frame relay to a peering point
outside our #firewall. They want to authenticate onto
- Original Message -
From: "Michael T. Babcock" [EMAIL PROTECTED]
To: "Otto Goencz" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; "Brian Steele" [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Sunday, February 04, 2001 8:29 AM
Subject: Re: Configuration Arguments... In House...
Fallacy of
I'm spec-ing a firewall for use in remote locations with administration via
the internet. A friend told me that back in '97 when he worked on the PIX,
there was no way to administer it unless you were on the inside interface.
Is this configurable, or has this changed?
I want to be able to set
Yes it has FINALLY changed. As of version 5.3x (I believe) you can administer
remotely. The preferred method is, of course via SSH or a VPN connection.
cheers..
Marc...
Scott Langendorf [EMAIL PROTECTED] 02/05/01 09:33AM
I'm spec-ing a firewall for use in remote locations with
From what I understand, the newer versions of the Pix Software will allow
you to telnet to the outside interface if you are using IPSec. This was from
the 5.0 manual
Don Hickey
- Original Message -
From: "Scott Langendorf" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February
You can also use SSH (v1) from an outside interface to connect directly
to the Cisco PIX in later releases of 5 (e.g. 5.2(3)) if you configure it.
- H. Morrow Long
Don Hickey wrote:
From what I understand, the newer versions of the Pix Software will allow
you to telnet to the outside
Hi to all,
Do you know how can I use two ISP to connect to the same Web site?
I have clients in both of them and can not downgrade performance. I don't
want to use diferent site names to each cIients.
Thanks.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in
Just to let you know I was just setting this up when you asked and I do have
it working from the outside using IPSEC. So it is a definite yes to remote
management.
-Original Message-
From: Don Hickey [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 05, 2001 10:44 AM
To: [EMAIL
One drawback is that if you are running in a fail over configuration with
two PIXen, you cannot use SSH due to encryption synchronization. At least
according to the documentation.
Jim Gibson
[EMAIL PROTECTED]
S4R -- The Calm behind .com
www.s4r.com
-Original Message-
From: [EMAIL
The only way I can think of is if both ISP are willing to "publish" your IP
address range to their clients and possibly the internet. You would need a
set of IP address assigned to you that your ISP route to the internet. Or
you convince your "new ISP" to allow your "OLD ISP" to publish to the
You can however run SSH to the router in front of, behind or next to the
PIX and connect to the primary via the inside interface. The routers IOS as
well as the PIX all can terminate SSH connections.
Date: Mon, 5 Feb 2001 10:38:14 -0800
From: "Jim Gibson" [EMAIL PROTECTED]
Subject: RE:
You can run SSH
on a Linux box and connect this box to the Pix via Serial.Then you do a ssh
to the linux box and open a serial connection (minicom) to the
Pix
"I Was Born To Frag"(vpereira)
zyon:/work#cd /pubzyon:/pub#more
beerzyon:/pub#cd ~zyon:~#sleep 18h
Check out Radware Linkproof. It will help you do this without using BGP or
obtaining an AS.
http://www.radware.com/content/products/link.htm
Regards,
Shimon Silberschlag
Wydeband Ltd.
Phone: +972 3 7668858
Fax: +972 3 7668980
Mobile: +972 51 207130
-Original Message-
From: Rod
Title: RE: Firewall Load-balancing/Redundancy
You might want to also look at the Radware Fireproof solution. It was one of the first to be Checkpoint OPSEC certified I believe. The problem is that it is located on the high availability hot standby section and not the load balance like it
Wondering if anyone has heard of any company moving from having a router as
their boundary device connecting to the internet to a a switch with a
routing module. Aware that you could possibly face loss of more internal
functionality from a DOS attack due to losing the switching capability but
Supposedly, this was fixed in 5.3(1), but the one test I've done didn't
work. Anyone test SSH failover in this rev of PIX o/s? Get it to work?
Michael
Jim Gibson wrote:
One drawback is that if you are running in a fail over
configuration with two PIXen, you cannot use SSH due to
You also may want to take a look at Fore/Marconi ESX/NSX FSA (firewall
switching agent) which does load balancing over three FW's (Checkpoint or
Gauntlet) all IP traffic.Can be used with gig and offers fastpath with TCP
traffic.
-
From: Jeff Deitz [mailto:[EMAIL PROTECTED]]
Sent: 05
Hi there,
Can two IP's be bind to a single nic in win2k. A friend of mine is telling
me its possible. I don't think any OS will allow that, but then again I work
on UNIX which sticks an IP to a single nic and have no exposure of win2k.
Salman
On Mon, 5 Feb 2001, Salman Ghani wrote:
Can two IP's be bind to a single nic in win2k. A friend of mine is
telling me its possible. I don't think any OS will allow that, but
then again I work on UNIX which sticks an IP to a single nic and have
no exposure of win2k.
i've done it in advanced
Salman Ghani wrote:
Hi there,
Can two IP's be bind to a single nic in win2k. A friend of mine is telling
me its possible. I don't think any OS will allow that, but then again I work
on UNIX which sticks an IP to a single nic and have no exposure of win2k.
Salman
What?? Of
On 2001-02-05 22:12, Salman Ghani wrote to [EMAIL PROTECTED] about...:
SG Hi there,
SG
SG Can two IP's be bind to a single nic in win2k. A friend of mine is telling
SG me its possible. I don't think any OS will allow that, but then again I work
SG on UNIX which sticks an IP to a single nic
G'day,
One problem that springs immediately to mind is that there is probably a PHY
problem - unless your switch supports ADSL / ISDN / X.21 serial or whatever.
Another is that it would be very difficult to move to a firewall / DMZ
environment in the future (without using VLANS or something -
Hi
You can assign multiple IPs in WinNT/Win2k or even in Unic very easily.
WinNT= Go to ptotocols-tcp/ip-ip-advanced and here add as many ips u
like.
in linux: ifconfig $internface:0 192.168.2.1
where $interface is the name of ethernet or any e.g. eth0
Azher
-Original Message-
From:
Every Unix I've seen can do it too (plus NT and W2K). It's mainly used for
hardware virtual hosting (virtual hosting via IP instead of hostname where
one server needs to represent several sites) or in particular combinations
of High Availablilty solutions.
-Original Message-
From:
Salman Ghani wrote:
How about AIX??
I have one AIX box on my entire network, and it's mission-critical
function is to rack up seti points for me. :-)
I guess I could SSH over there, read the man page for AIX'es ifconfig,
then ifconfig up a virtual address for it, but then it
On 2001-02-06 03:25, Azher Amin Mughal wrote to Salman Ghani about RE:...:
AAM Hi
AAM
AAM You can assign multiple IPs in WinNT/Win2k or even in Unic very easily.
AAM
AAM WinNT= Go to ptotocols-tcp/ip-ip-advanced and here add as many ips u
AAM like.
AAM
AAM in linux: ifconfig $internface:0
ifconfig tr0 192.168.0.1
ifconfig tr0 192.168.0.2 alias
Sorry for the token ring example. I forgot what the ethernet interface name
was (it's been so long - en0?) and tr is appropriate given the platform! :-)
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
- Original Message -
From:
On Mon, Feb 05, 2001 at 09:21:15AM -0500, Michael T. Babcock wrote:
I should have been more specific. I assumed they would attack your public key
-- and that was my issue ... 40 bit keys (most commonly used still) and
eventually 128 bit keys should not be considered 'sufficient' to defeat an
Hi !
Can anybody help me to Bock the Yahoo Messenger and to allow ftp through PIX firewall...
(Internet) | Cisco1601 | PIX (4.0) |(3660-Cisco) |(CorporateWebServer)
Thanks in advance ..
yusuf H B
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
-
[To unsubscribe, send
Hi !
Can anybody help me to Bock the Yahoo Messenger and to allow ftp through PIX firewall...
(Internet) | Cisco1601 | PIX (4.0) |(3660-Cisco) |(CorporateWebServer)
Thanks in advance ..
yusuf H B
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
-
[To unsubscribe, send
Hello
We are running Checkpoint 4.1 FW1 (SP2) with
both IKE and FWZ configured. UDP encapsulation has
also been implemented on the server.
We have a growing number of users (Engineeres) who
wish to use DSL at home with Checkpoint Securemote
client. I know there are some issues with
40 matches
Mail list logo