Take a look at Netscreen Devices with the newest release 2.6 ! I have had a
similar problem and I solved it with the policy based nat feature of the
new release.
:-)horst
-Ursprungliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von dark dark
Gesendet:
Greetings!
n c schrieb:
What does pgpdisk offer (excluding everything else in
the pgp desktop security software) that is better than
Windows 2000's encrypted file system?
Independence of OS, medium and user - you can transfer the PGPdisk to
Win95, WinNT, CD, ZIP - whatever medium you like
Not specifically with a PIX, but I have had occasion to have
lines/addresses from multiple ISPs mapping to the same host. The
only firewall issue was to ensure that return packets get NATted
according to the particular rule/conduit used to set up the inbound
connection -- and I think a NAT
Can be a big network? It either is or isn't a big network.
Renumbering at any size is the *ideal* solution. And it is a one time thing with any
luck.
Bear in mind that if you are actually dealing with a large network, it could easily
follow that you are dealing with a large number of
Hi,
Do anyone have an idea how NAT could be implemented for H.323. Since i don't
have any idea of H.323 protocols...
Pls do suggest some hints
thanks
chandrak
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
unsubscribe firewalls in the body of the message.]
Okay. Java Programmer Ted is a user on the internal network. Sun
discovers some major flaw in Java and posts a fix on their server.
Ted wants to download the fix.
To Ted's machine, the address of Sun's server appears to lie within
the local subnet. Ted's download request never gets to
Hmmm Maybe the
PIX can't have conduits mapped to subnets other than the one the
interface is directly connected to?
This is most assuredly possible, although opening holes to the internal
network must always be evaluated on the basis of Business need Vs. Security
risk, for your
Title: RE: Firewall/network in home: ok here is what i got to work with..
There are plenty of good books and Linux Ho-To Do's on line for what you want.
I suggest you start with the Linux documentation project web site.
Renee Lee
-Original Message-
From: Zachary Uram
I've got ipchains running on one of the local Linux servers and have all
denied packets being logged. The logs look like:
kernel: ll header: ff ff ff ff ff ff 00 a0 c9 06 37 1c 08 00
I know I've seen this before but can't remember what the workaround for it
was. On a seperate note and
If your only tool is a hammer than every problem
becomes a nail.
--- Ben Nagy [EMAIL PROTECTED] wrote:
-Original Message-
From: Michael Batchelder
[mailto:[EMAIL PROTECTED]]
Sent: Saturday, June 02, 2001 1:03 PM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re:
Ever thought of using a unix syslog server instead of a windows one?? This
way you wouldn't have to convert just pull the data from the other one.
From: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: RE: syslog
Date: Tue, 5 Jun 2001 09:56:17 +0800
Hi all!
I'm looking
RE: Firewall/network in home: ok here is what i got to work with..and the
address would be
http://www.linuxdoc.org/
mike.
- Original Message -
From: Lee, Dana-Renee
To: 'Zachary Uram' ; [EMAIL PROTECTED]
Sent: Tuesday, June 05, 2001 7:45 AM
Subject: RE: Firewall/network in home: ok
Title: RE: Penetrating a NAT
Since
NAT hides the Internal IP address yet does not limit connections in any way,
shouldn't NAT be considered 'Security by Obfuscation'?
We all
know that NAT alone is not the answer. I am pretty new to the security field and
even I know that. However NAT is a
Title: RE: NAT for H.323
Unfortunately, this has been a problem with the way that H323 protocols are written. Using NAT with them is somewhat of a pain in the neck.
I am in the process of setting up my network @ home to allow me to use NetMeeting with clients in the office, and out in the
Sounds like you want to do a lot with only 5 machines, at least one of which
I have doubts as to its usability. Furthermore, you have 1 ethernet card
according to your list. How are you going to run 5 machines on a network
with only one ethernet card. Was this just a typo? As for setting all
Comments inline:
Shawn
This looks very interesting! Thanks for sharing!
Bear in mind I haven't done it myself.
However, I do successfully use different public IP's (from different
interfaces) homed to the same internal host in my network
on my production
PIX.
I don't quite
I am currently using IPCHAINS as a firewall/packet filtering security
measure
for our company. Do most people use a packet filtering system in
conjunction with
a proxy application level security measure?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
unsubscribe firewalls in the body
[EMAIL PROTECTED] wrote:
I'm looking for a reliable freeware that can convert syslogd for Windows
NT to Unix. Any suggestions?
Freeware it's not, but the NFR Secure Log Repository (SLR) comes
with an agent that converts NT system logs (and also forwards flat file
logs) to a central
On Tue, 5 Jun 2001, Brooks Carlson wrote:
I am currently using IPCHAINS as a firewall/packet filtering security
measure
for our company. Do most people use a packet filtering system in
conjunction with
a proxy application level security measure?
-
Most people probably isn't the best
How can I configure the PIX to restrict users from using irc, icq and MSN
Messenger?
IRC: 6665-6669,
ICQ: 1023, 1024, 1025, 4000
MSN Messenger: 1863
I tried using conduit deny commands for these ports, but does not seems to
work.
Iván López
This email and any attachments hereto,
On a realated line.
I currently have my unix servers configured for syslog to dump the logs
out a serial port to a central machine that gathers them. I would like to
do the same thing for my NT machines but have not yet found anything that
will do the job.
I have several different network
Hi
I have a squid proxy on my firewall; in the DMZ I have a webserver
(apache on linux) with two websites (virtual names - hosts,
www.jiffie.nl and www.wagenverkoop.nl)
When trying to access on of the websites from outside there is no
problem (bypassing squid)
When Itry to connect to
I have some guy that scans my firewall and his packets are dropped by rule 0 as
unknown established tcp packet.On the opther hand I receive e-mail alerts from CPMAD
that states that there is a port scanning atack from this address.
In the output of fwinfo command I see the address of this guy
Hi,
From STD 0007, formerly 16,000 different RFCs,
In the output of fwinfo command I see the address of this guy listed and
in the
state column it appears as FIN_WAIT_2
I know that using nmap you can initiate FIN scan
Questions:
1.What is FIN?
FIN-WAIT-1 - represents waiting for a
Ben's example is more akin to my own variation: When you have a
nail to drive, every tool becomes a potential hammer.
David Gillett
On 5 Jun 2001, at 5:34, patrick kerry wrote:
If your only tool is a hammer than every problem
becomes a nail.
--- Ben Nagy [EMAIL PROTECTED]
Obviously, I wasn't clear about this
Scenario:
Host A1 is on some internal segment, behind the PIX.
The PIX's external/untrusted interface is on subnet B. Clearly, it
can have a static definition mapping address B1 -- also on subnet B --
to the internal address A1, allowing B1 to be
I STRONGLY recommend that you *should* do it this way.
Your stance should not be What new threats am I going to have to
block against today?, but rather What are the implications of
allowing this new access some user wants?
i.e. Deny all, and then allow what your policy says you must.
I've got code that reads the NT system logs and dumps them to text
files -- I bet it wouldn't be at all hard to dump to a serial port
instead. Is this something there's demand for?
David Gillett
On 5 Jun 2001, at 8:50, David Lang wrote:
On a realated line.
I currently have my unix
On Tue, 5 Jun 2001, Eliyah Lovkoff wrote:
1.What is FIN?
http://httpd.apache.org/docs/misc/fin_wait_2.html has your answer.
2. Does FIN_WAIT_2 indicates that it was a FIN port scanning?
its possible it was a scan, but i think it may have been a SYN then ACK
(but no FIN, deducing this from
I have been learning as much as possible about Linux and networking. There
is a huge amount of
information available, and I have done extensive searches of www.google.com,
Linux HOWTOs, and
several textbooks. I do have a couple of questions which I can't seem to
find a direct answer to:
The answer (for PIXen v5) is that unless the second alias C1 is part of the
same subnet as B1, it can't be advertised on the lower security interface.
There is a caveat: if NAT is not configured going from high - low
interfaces, you can advertise a higher security IP on a lower security
On Tue, 5 Jun 2001, Brooks Carlson wrote:
What is the distinction between IPCHAINS, IPTables, IP-Masquerade,
IPFWADM and NETFILTER?
Am I correct in saying that the evolution of the Linux firewall was:
IPFWADM --- IPCHAINS --- IPTables?
yep. ipfw/ipfwadm came from BSD and
-Original Message-
From: Brooks Carlson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 05, 2001 3:02 PM
To: 'Firewalls (E-mail)
Subject: Lost in Linux IP Acronym Land
I have been learning as much as possible about Linux and
networking. There
is a huge amount of
ACK, SYN, FIN, RST, PSH - all flags/parts of TCP session setup/teardown etc.
Read the book TCP/IP Illustrated from Stevens/Wright, it's recommended and well worth
it.
setup:SYN-
setup:-SYN-ACK
setup:ACK-
data:-ACK
data:ACK-
teardown:FIN-ACK- (okay, I am done...lets close this session)
Hi
Sorry if this question was asked again and again. t
I have just 1 user who says Securemote asks her to
enter the passwd 15 times in a day when she uses
dialup. Before I plan to re-install the Securemote
remote client software again, can someone explain this
behaviour. Thx
Ragu
The answer is yes but it depends.
If the traffic on to C1 originates on the C subnet
or a known subnet that you have entered static routes for
then all is well
If the Traffic originates from a unknown subnet and you are depending then
on the default gateway.
The out bound traffic will
--- PURELY FYI
On Tue, 5 Jun 2001, Michael R. Jinks wrote:
You don't say why you are considering Linux, but if the idea is just
to use a free Unix-like OS to handle your firewalling, I recommend
having a look at OpenBSD. Even if you don't choose to use it, their
documentation is
This may not be the best topic for the group but you all are the most
savvy bunch I have access to!
I am looking for a product that will allow me to create redundancy with
multiple upstream connections while not having to use BGP to make it all
work. From what their literature says, Fat Pipe
The SecuRemote timeout is set in the properties for the user on the
firewall. The default is 60 minutes. Just set it for longer time period.
Lance
- Original Message -
From: ragu nandan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 05, 2001 5:46 PM
Subject: Securemote
I think the question was howto go from NT event logs to unix syslogd server.
I've seen a UTIL for this at www.bhs.com iirc..
Matthew
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of J Weismann
Sent: 05 June 2001 13:37
To: [EMAIL PROTECTED]
Subject: RE:
In fact you can go one step further and say that you don't even have to be
able to ping an IP address from the PIX to be able to statically translate
it. That is, you can have two subnets on the one PIX interface, even though
you can only assign one IP address to a PIX interface. This is useful
Here are some syslog - NT Event Log tools I've found. Some are servers,
some are clients, some are both, some are neither, some are free, some
aren't, etc...
I've used the Kiwi's Syslog Daemon for Windows, but none of the others.
NTSyslog looks pretty close to what I think your requirements
On Tue, 5 Jun 2001, Steve Riley (MCS) wrote:
I think we all here agree that encryption is a good thing. I won't
Not really, I think encryption can be a bad thing - as can tunneling in
general, hence my article in the last Information Security Magazine
issue...
preach to the choir by
-Original Message-
From: Carl E. Mankinen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 06, 2001 6:40 AM
To: Eliyah Lovkoff
Cc: [EMAIL PROTECTED]
Subject: Re: FIN_WAIT_2
ACK, SYN, FIN, RST, PSH - all flags/parts of TCP session
setup/teardown etc.
Read the book TCP/IP
hi chad
-- sorta off topic from your initial post but...
to send out your traffic is easy
have an outgoing gateway that has routes to many isp...
incoming connection to www.computingsolutions.com is trickier
- if your isp goes down...your dead unless oyu
have a redundant
I share the same concern; can the inbound services we offer via the internet using Sun
iPlanet be penetrated without being detected since the attack is transported within
SSL?
For example IMAP/HTTP/SSL/TCP/IP.
I would like for someone to convince me that my concern is unfounded. Any takers?
On Tue, 5 Jun 2001, Paul D. Robertson wrote:
Not really, I think encryption can be a bad thing - as can tunneling in
general, hence my article in the last Information Security Magazine
issue...
Hi,
Is this article available online?
[EMAIL PROTECTED]
Blessed are those who have not seen and
I share the same concern; can the inbound services we offer via the internet using Sun
iPlanet be penetrated without being detected since the attack is transported within
SSL?
For example IMAP/HTTP/SSL/TCP/IP.
I would like for someone to convince me that my concern is unfounded. Any takers?
Thanks everybody for the help.
Yes, I used CPCONFIG on Nokia router to add the IP
address of GUI client. After that I could login to CP
firewall.
--- opie san [EMAIL PROTECTED] wrote:
Hello Pat,
Have you checked to see whether or not the PC you've
loaded the GUI client
software on is
hi all,
I've been researching this problem for several days now, and have come
up totally short in terms of finding a solution. Here's the scenario: I
have a PIX 515 with an internal network range of 192.168.0.0/24 behind
it and a single external IP I obtain via DHCP [cable]. I have the PIX
Hi, am I getting trouble with this log?
0 in use, 128 remain, 0 most used
UDP out 198.41.0.4:12626 in 192.168.1.2:53 idle 0:01:30 flags -
UDP out 192.33.4.12:6614 in 192.168.1.2:53 idle 0:01:00 flags -
UDP out 4.2.49.4:6809 in 192.168.1.2:53 idle 0:00:30 flags -
UDP out 198.41.0.4:350
[sorry, all, if this comes through twice - I've sent something since which
has arrived, but haven't seen this one come through]
-Original Message-
From: Steve Riley (MCS) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 06, 2001 8:28 AM
To: [EMAIL PROTECTED]
Subject: Encryption vs.
52 matches
Mail list logo