I need to know if there is any SNMP Management system to configure NETGAP Appliance.. and i'm not talking about the regular Rules GUI, i'm talking about a Graphical environment where you can actually see the NETGAP, check port traffic usage, CPU usage, etc... (not mrtg) something like.. the Radware WSD management system. or nortel\baystack switches management via SNMP... i'll also need information where can i find "Private MIBs" for the NETGAP Firewall even a simple Private OID's list with description will do.
Thanks guys! -Shay Hugi, Systems Engineer. -Mpthrill.com ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 18, 2002 7:18 PM Subject: Firewalls digest, Vol 1 #705 - 10 msgs > Send Firewalls mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnac.net/mailman/listinfo/firewalls > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Firewalls digest..." > > > Today's Topics: > > 1. [LOG_CRIT] kernel: FW-1: Warning: modify for a new entry: (Mani Sri) > 2. RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) (Clifford Thurber) > 3. RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) (Ron DuFresne) > 4. RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) ([EMAIL PROTECTED]) > 5. RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) (Ron DuFresne) > 6. Digital Legends (was: RE: Microsoft ISA server (Was: Re: > Replacing my old PIX Classic)) (Brian Ford) > 7. Re: Digital Legends (was: RE: Microsoft ISA server (Was: Re: Replacing > my old PIX Classic)) (Clifford Thurber) > 8. Re: PIX IDS Configuration (Michael Janke) > > --__--__-- > > Message: 1 > Subject: [LOG_CRIT] kernel: FW-1: Warning: modify for a new entry: > Date: Thu, 18 Apr 2002 11:04:50 -0400 > From: "Mani Sri" <[EMAIL PROTECTED]> > To: "Firewalls Mail Group (E-mail)" <[EMAIL PROTECTED]> > > This is a multi-part message in MIME format. > > ------_=_NextPart_001_01C1E6EA.633F03A7 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hi, > > Any one having any idea why I am getting this error message ? > > fw1 [LOG_CRIT] kernel: FW-1: Warning: modify for a new entry: > fw1 [LOG_CRIT] kernel: <d1a7b074,804b,8121a8b4,0,11;0,4000,0> <0 : = > =3D0 > 22> > > My environment is as follows : > > I am running checkpoint VPN 1 & Firewall 1 (Build 41864) on two Nokia > IP440 (IPSO 3.4.1) and running VRRP monitor circuit. > > Thanks & Regards, > > Mani Sri > Systems Enginerr > Diginara Corp. > E-mail: [EMAIL PROTECTED] > > > > > > > > ------_=_NextPart_001_01C1E6EA.633F03A7 > Content-Type: application/ms-tnef; > name="winmail.dat" > Content-Transfer-Encoding: base64 > > eJ8+IjQPAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy > b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAOgAAAFtMT0dfQ1JJVF0ga2VybmVs > OiBGVy0xOiBXYXJuaW5nOiBtb2RpZnkgZm9yIGEgbmV3IGVudHJ5OgAREwEFgAMADgAAANIHBAAS > AAsABAAyAAQANAEBIIADAA4AAADSBwQAEgALAAQAMgAEADQBAQmAAQAhAAAAODRFMTlFQ0VEMjUz > QUU0RTg2RERGRjVFMTA0RkRFQ0IAqgcBA5AGAOgHAAAwAAAACwACAAEAAAADACYAAAAAAAMANgAA > AAAAQAA5AKcDP2Pq5sEBHgA9AAEAAAABAAAAAAAAAAIBRwABAAAANgAAAGM9Q0E7YT0gO3A9RGln > aW5hcmE7bD1ESUdJTkFSQS1GUzAxLTAyMDQxODE1MDQ1MFotMzU0AAAAHgBwAAEAAAA6AAAAW0xP > R19DUklUXSBrZXJuZWw6IEZXLTE6IFdhcm5pbmc6IG1vZGlmeSBmb3IgYSBuZXcgZW50cnk6AAAA > AgFxAAEAAAAWAAAAAcHm6mNA2XQSLfisRmaWr282t13+FwAAHgAaDAEAAAAJAAAATWFuaSBTcmkA > AAAAHgAdDgEAAAA6AAAAW0xPR19DUklUXSBrZXJuZWw6IEZXLTE6IFdhcm5pbmc6IG1vZGlmeSBm > b3IgYSBuZXcgZW50cnk6AAAAAgEJEAEAAAAcAgAAGAIAAK0CAABMWkZ1krnwTgMACgByY3BnMT I1 > FjIA+Atgbg4QMDMzTwH3AqQD4wIAY2gKwHOwZXQwIAcTAoB9CoGSdgiQd2sLgGQ0DGAOYwBQCwML > tSBIaSyHCqIKhAqAQW55IAIg3GUgEPASIA8gIABwFOBCaQEAYSB3aBTgSVEVoG0gZxEwdBVydHpo > BAAgBJADYAXAB4FzEmEW0CA/FApmdzEAIFtMT0dfQ1IgSVRdIGsEkWVsQDogRlctMRqgV/8KwAMA > DyAaoARhBpAU4AIQHwXAFiAVEAfgCfB0cnkOOhj/Ggoe4DxkMWEAN2IwNzQsODCcNGIfoA4gHzA4 > Yh+QIDAsMTE7IJA0MLshECCAPh7xEVAaoD0RUOgyMj4UCk0U4AnwEiC9A2BuB4ACMBXgBCBhBCD1 > AhBsCQB3BCAdFRQEFoNocnVuG1IgEOAFkGsMcG8LgAVAVlBOIP0doCYasCNgB9AHQAMgHaAIKEJ1 > AxBkIDQxMDg2NCkU8RdAd2+NB7BvEmAWIElQNCEAAyhAKgBTTyAzLjQ8LjEpEABwKKAl9lZSrFJQ > G6EDAHQFsWMjYFJjKHB0LhQKVBDwbkZrBCAngFJlZwsRc/UT+00AcGkGAAUQFAQGsNBzdGVtBCBF > DyALgPMXoRQERGkxUQrAFiAIUORycC01RS0AwAMQG5FacwUQQBvQMjQuBaBtLxQKNU82WxHhADfA > HgA1EAEAAABCAAAAPEFGREY4OTE0QUQwMTJENDg5MTZCNDZDN0JFRkI2Mjg0Q0RGMkBkaWdpbmFy > YS1mczAxLmRpZ2luYXJhLmNvbT4AAAADAIAQ/////wsA8hABAAAAHwDzEAEAAACMAAAAWwBMAE8A > RwBfAEMAUgBJAFQAXQAgAGsAZQByAG4AZQBsACUAMwBBACAARgBXAC0AMQAlADMAQQAgAFcAYQBy > AG4AaQBuAGcAJQAzAEEAIABtAG8AZABpAGYAeQAgAGYAbwByACAAYQAgAG4AZQB3ACAAZQBuAHQA > cgB5ACUAMwBBAC4ARQBNAEwAAAALAPYQAAAAAEAABzDzPjpj6ubBAUAACDDtxmJj6ubBAQMA3j+v > bwAAAwDxPwkEAAAeAPg/AQAAAAkAAABNYW5pIFNyaQAAAAACAfk/AQAAAFwAAAAAAAAA3KdAyMBC > EBq0uQgAKy/hggEAAAAAAAAAL089RElHSU5BUkEvT1U9RklSU1QgQURNSU5JU1RSQVRJVkUgR1JP > VVAvQ049UkVDSVBJRU5UUy9DTj1NU1JJAB4A+j8BAAAAFQAAAFN5c3RlbSBBZG1pbmlzdHJhdG9y > AAAAAAIB+z8BAAAAHgAAAAAAAADcp0DIwEIQGrS5CAArL+GCAQAAAAAAAAAuAAAAAwAZQAAAAAAD > ABpAAAAAAB4AMEABAAAABQAAAE1TUkkAAAAAHgAxQAEAAAAFAAAATVNSSQAAAAAeADhAAQAAAAUA > AABNU1JJAAAAAB4AOUABAAAAAgAAAC4AAAADAAlZAwAAAAsAZoEIIAYAAAAAAMAAAAAAAABGAAAA > AA6FAAAAAAAAAwB+gQggBgAAAAAAwAAAAAAAAEYAAAAAUoUAALZ0AQAeAH+BCCAGAAAAAADAAAAA > AAAARgAAAABUhQAAAQAAAAQAAAA5LjAAAwDCgQggBgAAAAAAwAAAAAAAAEYAAAAAAYUAAAAAAAAL > AMeBCCAGAAAAAADAAAAAAAAARgAAAAADhQAAAAAAAAMAzIEIIAYAAAAAAMAAAAAAAABGAAAAABGF > AAAAAAAAAwDRgQggBgAAAAAAwAAAAAAAAEYAAAAAEIUAAAAAAAADANiBCCAGAAAAAADAAAAAAAAA > RgAAAAAYhQAAAAAAAAsAIYIIIAYAAAAAAMAAAAAAAABGAAAAAAaFAAAAAAAACwApAAAAAAALACMA > AAAAAAMABhB3pEHKAwAHEGUBAAADABAQAAAAAAMAERAAAAAAHgAIEAEAAABlAAAASEksQU5ZT05F > SEFWSU5HQU5ZSURFQVdIWUlBTUdFVFRJTkdUSElTRVJST1JNRVNTQUdFP0ZXMUxPR0NSSVRLRVJO > RUw6RlctMTpXQVJOSU5HOk1PRElGWUZPUkFORVdFTlRSWQAAAAACAX8AAQAAAEIAAAA8QUZERjg5 > MTRBRDAxMkQ0ODkxNkI0NkM3QkVGQjYyODRDREYyQGRpZ2luYXJhLWZzMDEuZGlnaW5hcmEuY29t > PgAAAPuo > > ------_=_NextPart_001_01C1E6EA.633F03A7-- > > --__--__-- > > Message: 2 > Date: Wed, 17 Apr 2002 10:15:29 -0400 > From: Clifford Thurber <[EMAIL PROTECTED]> > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > To: Noonan Wesley <[EMAIL PROTECTED]>, > 'Mikael Olsson' <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > I would be curious to know which UNIX if anyone knows. If I remember > correctly Xenix was owned by Microsoft at one point in the 80's correct? I > think where people get hung up is that anything thats asic-ased or has no > hard drive that spins up they believe somehow does not contain an OS. > > At 09:12 AM 4/17/2002 -0500, Noonan, Wesley wrote: > >A sizable chuck of Cisco (don't know for sure on the PIX, but I know on > >their routers) runs an OS behind the scenes that is called Xenix, XNS, ZNS, > >or something along those lines (I really don't recall the actual name). IOS > >runs on top of that (is my understanding, kind of like how Banyan ran on top > >of Unix). My point was simply, if one is going to cast the "a firewall is > >only as strong as the underlying OS" stone, they need to be prepared to cast > >that stone at virtually every firewall out there. It is hardly a ISA > >specific issue (heck, FW1 runs on MS doesn't it?). > > > >Wes Noonan > >[EMAIL PROTECTED] > >281-208-8993 > > > > > > > -----Original Message----- > > > From: Clifford Thurber [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, April 17, 2002 08:48 > > > To: Noonan Wesley; 'Mikael Olsson' > > > Cc: '[EMAIL PROTECTED]' > > > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > > > > > What is the conection between Xenix and Cisco here: > > > > > > ...Xenix (or whatever it is called that runs > > > Cisco under the covers), Windows, etc. In > > > > > > > > > At 08:17 PM 4/16/2002 -0500, Noonan, Wesley wrote: > > > > > -----Original Message----- > > > > > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > > > > > Sent: Tuesday, April 16, 2002 17:56 > > > > > To: Noonan, Wesley > > > > > Cc: '[EMAIL PROTECTED]' > > > > > Subject: Re: Microsoft ISA server (Was: Re: Replacing my old PIX > > > Classic) > > > > > > > > > > > > - It's a pretty decent caching server, reducing bandwidth needs. > > > > > > - It integrates tightly with existing windows networks > > > > > > - Tiered management that can be delegated at different levels to > > > > > > different users/groups > > > > > > > > > > Yes. In a mail that has yet to reach the list (?!?), I listed these > > > > > > > >That has happened to me a few time of late... > > > > > > > > > On the second point: I'm not sure I want my firewall integrating > > > > > that tightly with windows boxes driven by ordinary lusers. > > > > > > > >Let me clarify, by that I meant things like using user security and not > > > >needing to maintain a separate database, etc. > > > > > > > > > > > > > > > It scales something fierce, both up and out. I've read reports of > > > > > > it scaling out to 32 nodes and over 1Gbps in bandwidth. > > > > > > > > > > I though you were listing "pro"s here? > > > > > I know of several firewalls that give you that performance with > > > > > a single box. And don't even get me started on the TCO for those > > > > > 32 boxes. > > > > > > > >What kind of box? The numbers I saw were on PIII 700's with 512MB of RAM. > > > >Point taken on the TCO (but then again, Solaris boxes don't always come > > > >cheap in a server form either... and we won't even get into what I have > > > read > > > >about Checkpoint's incredible licensing fees... may be the only thing > > > thing > > > >worse than ISA's per proc licensing agreement...) > > > > > > > > > > It is generally easier to manage for shops that already have an > > > > > investment > > > > > > in MS technologies and skillsets. > > > > > > > > > > I disagree. Substitute "generally" with "sometimes", and I'll agree. > > > > > > > >OK, consider it substituted. > > > > > > > > > Any "OS-less" firewall will be easier to get to point A than a > > > > > windows box, even for an experienced windows administrator. And > > > > > > > >I dunno, I have seen more than one place boot PIX for ISA because of > > > >specifically that. Now frankly, that perplexes me because I find the PIX > > > to > > > >be infinitely easier to deal with than ISA (hell, I went and bought it > > > even > > > >though I have the license and the hardware for ISA). > > > > > > > > > if said firewall has a management software running under windows, > > > > > the difference there is nil: in both cases, the admin needs to > > > > > learn a new management interface. > > > > > > > >Fair enough. I can see that. > > > > > > > > > > Built in VPN capabilities. > > > > > > Stateful packet inspection and application level proxying > > > > > > Native support for multiple interfaces > > > > > > > > > > While these are good points, I hardly think it is much of a > > > > > pro for ISA server, given the number of other firewalls that > > > > > also have these features. > > > > > > > >No, not pro's as much as "these are thing things that 'real' firewalls > > > are > > > >supposed to do, and it does". When people make the flawed comparison to > > > >Proxy, I think the illumination they provide is relevant. > > > > > > > > > > Going on third party info here (may be wrong), but as of today it > > > has > > > > > > experienced fewer vulnerabilities from the date it was shipped till > > > now > > > > > than > > > > > > either the PIX or FW1, and no vulnerabilities have caused a security > > > > > > compromise (when it fails, it fails closed). > > > > > > > > > > You forgot to count the OS vulnerabilities. > > > > > > > >Actually, again to my knowledge ISA's exploits haven't allowed that. If > > > you > > > >want to bring that point in though, it becomes true for *every* OS that > > > is > > > >out there, BSD, Linux, Solaris, Xenix (or whatever it is called that runs > > > >Cisco under the covers), Windows, etc. In short, that point being > > > >"universal", it isn't really fair to attach it strictly to an ISA > > > scenario. > > > > > > > >Besides, a good admin can and will kill a whole lot of those services, > > > >processes and bindings that are responsible for many of those > > > >vulnerabilities. > > > > > > > > > > It is highly extensible with a slew of third party add-ons for > > > > > > everything from access control to IDS to monitoring to hardening > > > > > > to logging and reporting. > > > > > > > > > > Hrm, I'm very tempted to say something acid-dripping about > > > > > the general security quality of even "top notch" windows- > > > > > based software. Not to mention a slew of it. > > > > > > > >I could do the same thing about the wealth of un-usable Unix apps. > > > > > > > > > I think you would have a somewhat different opinion of this > > > > > if you just knew how many windows drivers actually protect > > > > > their driver interfaces. (About one TOTAL in a normal install.) > > > > > > > >You assume somehow that I don't know this? > > > > > > > > > Not to mention the (IMHO) insane complexity of even setting > > > > > an ACL on a shared object. > > > > > > > > > > Even assuming that Microsoft got ISA server right, I'm not sure > > > > > that I'd want to be installing all those gadgets that actually > > > > > make it do what a firewall should do (i.e. log stuff the gets > > > > > dropped somewhere useful). > > > > > > > >You lose base here. Install what gadgets that actually make it do what a > > > >firewall should do? I feel like we are right back at where we started > > > >here... > > > > > > > >Wes > > > >_______________________________________________ > > > >Firewalls mailing list > > > >[EMAIL PROTECTED] > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > --__--__-- > > Message: 3 > Date: Thu, 18 Apr 2002 10:26:49 -0500 (CDT) > From: Ron DuFresne <[EMAIL PROTECTED]> > To: "Noonan, Wesley" <[EMAIL PROTECTED]> > Cc: "'Clifford Thurber'" <[EMAIL PROTECTED]>, > "'Mikael Olsson'" <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > On Wed, 17 Apr 2002, Noonan, Wesley wrote: > > > A sizable chuck of Cisco (don't know for sure on the PIX, but I know on > > their routers) runs an OS behind the scenes that is called Xenix, XNS, ZNS, > > or something along those lines (I really don't recall the actual name). IOS > > runs on top of that (is my understanding, kind of like how Banyan ran on top > > of Unix). My point was simply, if one is going to cast the "a firewall is > > only as strong as the underlying OS" stone, they need to be prepared to cast > > that stone at virtually every firewall out there. It is hardly a ISA > > specific issue (heck, FW1 runs on MS doesn't it?). > > > > > Matters may have changed in more current releases of fw1, and the windows > OS' of late, but, it used to run poorly on NT. System reboots being > required often when we used it on that OS. Ran/runs much better on sun > systems. I'm not sure of the stability of the linux implementations now > availble. > > Thanks, > > Ron DuFresne > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > > --__--__-- > > Message: 4 > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > To: Clifford Thurber <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > Date: Thu, 18 Apr 2002 10:54:37 -0500 > > > Cliff, > > This discussion about the PIX OS has occurred several times on this > list and I think on the firewall-wizrds list. Looking in the archives > should give you the answer. I don't remember the answer except I don't > believe it was based off of a commercial UNIX. As for XENIX, it is > currently called SCO UNIX. SCO bought the XENIX rights from Microsoft and > originally called it SCO XENIX then they switched the name to SCO UNIX. > They also currently own the UNIX trademark too. > > Regards, > Jeffery Gieser > > > I would be curious to know which UNIX if anyone knows. If I remember > correctly Xenix was owned by Microsoft at one point in the 80's correct? I > think where people get hung up is that anything thats asic-ased or has no > hard drive that spins up they believe somehow does not contain an OS. > > > --__--__-- > > Message: 5 > Date: Thu, 18 Apr 2002 11:20:01 -0500 (CDT) > From: Ron DuFresne <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: Clifford Thurber <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > > > And presently under the caldera name, along with unixware. > > Thanks, > > Ron DuFresne > > > On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: > > > > > Cliff, > > > > This discussion about the PIX OS has occurred several times on this > > list and I think on the firewall-wizrds list. Looking in the archives > > should give you the answer. I don't remember the answer except I don't > > believe it was based off of a commercial UNIX. As for XENIX, it is > > currently called SCO UNIX. SCO bought the XENIX rights from Microsoft and > > originally called it SCO XENIX then they switched the name to SCO UNIX. > > They also currently own the UNIX trademark too. > > > > Regards, > > Jeffery Gieser > > > > > > I would be curious to know which UNIX if anyone knows. If I remember > > correctly Xenix was owned by Microsoft at one point in the 80's correct? I > > think where people get hung up is that anything thats asic-ased or has no > > hard drive that spins up they believe somehow does not contain an OS. > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > > --__--__-- > > Message: 6 > Date: Thu, 18 Apr 2002 12:27:08 -0400 > To: "Noonan, Wesley" <[EMAIL PROTECTED]>, > "'Clifford Thurber'" <[EMAIL PROTECTED]>, > "'Mikael Olsson'" <[EMAIL PROTECTED]> > From: Brian Ford <[EMAIL PROTECTED]> > Subject: Digital Legends (was: RE: Microsoft ISA server (Was: Re: > Replacing my old PIX Classic)) > Cc: [EMAIL PROTECTED] > > Wes, > > I don't know where you heard this legend about IOS running on some other > OS.... It is not true. > > IOS is an operating system implemented directly on a hardware > platform. There is no underlying operating system. Look at your IOS > router for a "Boot Loader"; that's a small IOS kernel (and not a third > party OS). > > PIX OS ran many, many, many years ago on top of a real time OS (Finesse) > that was developed specifically for the hardware platform that the PIX used > at that time. Today, the PIX OS runs directly on hardware (when you look > at the actual PIX source code you sometimes see references to the old real > time OS). > > You may be thinking of one of a number attempts (by third parties) to > create a program that runs on Unix that can execute an IOS or PIX > image. The latest attempt at something like that was the "IOU" (IOS On > Unix) project. I don't know how far that ever got. > > This claim that either IOS or PIX is a version of Unix or running on Unix > is becoming a kind of annual event. Maybe someone will claim that all > Linux implementations actually runs on one copy of run-time Windows NT v4.0 > next? > > Liberty for All, > > Brian > > At 08:15 AM 4/18/2002 -0700, [EMAIL PROTECTED] wrote: > >Message: 6 > >From: "Noonan, Wesley" <[EMAIL PROTECTED]> > >To: "'Clifford Thurber'" <[EMAIL PROTECTED]>, > > "'Mikael Olsson'" <[EMAIL PROTECTED]> > >Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > >Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > >Date: Wed, 17 Apr 2002 09:12:38 -0500 > > > >A sizable chuck of Cisco (don't know for sure on the PIX, but I know on > >their routers) runs an OS behind the scenes that is called Xenix, XNS, ZNS, > >or something along those lines (I really don't recall the actual name). IOS > >runs on top of that (is my understanding, kind of like how Banyan ran on top > >of Unix). My point was simply, if one is going to cast the "a firewall is > >only as strong as the underlying OS" stone, they need to be prepared to cast > >that stone at virtually every firewall out there. It is hardly a ISA > >specific issue (heck, FW1 runs on MS doesn't it?). > > > >Wes Noonan > >[EMAIL PROTECTED] > >281-208-8993 > > > --__--__-- > > Message: 7 > Date: Thu, 18 Apr 2002 12:35:56 -0400 > From: Clifford Thurber <[EMAIL PROTECTED]> > Subject: Re: Digital Legends (was: RE: Microsoft ISA server (Was: Re: Replacing > my old PIX Classic)) > To: Brian Ford <[EMAIL PROTECTED]>, > Noonan Wesley <[EMAIL PROTECTED]>, > 'Mikael Olsson' <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > > I don't have the link in front of me but I saw a news blurb that Cisco > licensced QNX in 1998? > > > > At 12:27 PM 4/18/2002 -0400, Brian Ford wrote: > >Wes, > > > >I don't know where you heard this legend about IOS running on some other > >OS.... It is not true. > > > >IOS is an operating system implemented directly on a hardware > >platform. There is no underlying operating system. Look at your IOS > >router for a "Boot Loader"; that's a small IOS kernel (and not a third > >party OS). > > > >PIX OS ran many, many, many years ago on top of a real time OS (Finesse) > >that was developed specifically for the hardware platform that the PIX > >used at that time. Today, the PIX OS runs directly on hardware (when you > >look at the actual PIX source code you sometimes see references to the old > >real time OS). > > > >You may be thinking of one of a number attempts (by third parties) to > >create a program that runs on Unix that can execute an IOS or PIX > >image. The latest attempt at something like that was the "IOU" (IOS On > >Unix) project. I don't know how far that ever got. > > > >This claim that either IOS or PIX is a version of Unix or running on Unix > >is becoming a kind of annual event. Maybe someone will claim that all > >Linux implementations actually runs on one copy of run-time Windows NT > >v4.0 next? > > > >Liberty for All, > > > >Brian > > > >At 08:15 AM 4/18/2002 -0700, [EMAIL PROTECTED] wrote: > >>Message: 6 > >>From: "Noonan, Wesley" <[EMAIL PROTECTED]> > >>To: "'Clifford Thurber'" <[EMAIL PROTECTED]>, > >> "'Mikael Olsson'" <[EMAIL PROTECTED]> > >>Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > >>Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > >>Date: Wed, 17 Apr 2002 09:12:38 -0500 > >> > >>A sizable chuck of Cisco (don't know for sure on the PIX, but I know on > >>their routers) runs an OS behind the scenes that is called Xenix, XNS, ZNS, > >>or something along those lines (I really don't recall the actual name). IOS > >>runs on top of that (is my understanding, kind of like how Banyan ran on top > >>of Unix). My point was simply, if one is going to cast the "a firewall is > >>only as strong as the underlying OS" stone, they need to be prepared to cast > >>that stone at virtually every firewall out there. It is hardly a ISA > >>specific issue (heck, FW1 runs on MS doesn't it?). > >> > >>Wes Noonan > >>[EMAIL PROTECTED] > >>281-208-8993 > > > > > --__--__-- > > Message: 8 > Date: Thu, 18 Apr 2002 11:46:09 -0500 > From: Michael Janke <[EMAIL PROTECTED]> > Organization: Minnesota State Colleges and Universites > To: [EMAIL PROTECTED] > Subject: Re: PIX IDS Configuration > > David Ishmael wrote: > <snip> > > ports that were not opened on the PIX. Assuming this functionality > > isn't there, I was hoping that the PIX would at the very least send a > > syslog message stating that a port scan had been done for logging purposes. > > > > - Dave > > > <snip> > > I've done a bit of playing with nmap & a PIX. The PIX if v6.1(1) & is > set up to allow only TCP 80 to a test host. > > I'm scanning port 80 & 81 to see which nmap switches will produce > results & see what the PIX will log. > > Scanning with: > root@bog# nmap -sS -T 5 -p80-81 134.x.x.1 > > Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) > Interesting ports on target.host (134.x.x.1): > Port State Service > 80/tcp open http > 81/tcp filtered hosts2-ns > > > Shows correct status & Generates syslog logs like: > > ...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst > inside:134.x.x.1/81 by access-group "INBOUND" > > Scanning with: > root@bog# nmap -sF -T 5 -p80-81 134.x.x.1 > > Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) > Interesting ports on target.host (134.x.x.1): > Port State Service > 80/tcp open http > 81/tcp open hosts2-ns > > > Shows both open & Generates syslogs of: > > ...%PIX-4-400028: IDS:3042 TCP FIN only flags from <attacker> to > 134.x.x.1 on interface outside > ...%PIX-6-106015: Deny TCP (no connection) from <attacker>/43814 to > 134.x.x.1/81 flags FIN on interface outside > > Tcpdump on the NMAP host shows that no packets have been returned to NMAP, > yet NMAP concludes that the ports are open. Nmap generates a false positive? > > Scanning with: > root@bog# nmap -sN -T 5 -p80-81 134.x.x.1 > > Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) > Interesting ports on target.host (134.x.x.1): > Port State Service > 80/tcp open http > 81/tcp open hosts2-ns > > Generates syslogs of: > > ...%PIX-4-400026: IDS:3040 TCP NULL flags from <attacker> to 134.x.x.1 > on interface outside > ...%PIX-6-106015: Deny TCP (no connection) from <attacker>/55006 to > 134.x.x.1/81 flags on interface outside > > And incorrectly show both ports open in NMAP. Again, no packets were > returned to the NMAP host. > > > Scanning with: > root@bog# nmap -sX -T 5 -p80-81 134.x.x.1 > > Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) > Interesting ports on target.host (134.x.x.1): > Port State Service > 80/tcp open http > 81/tcp open hosts2-ns > > Generates: > ...%PIX-6-106015: Deny TCP (no connection) from <attacker>/51748 to > 134.x.x.1/80 flags FIN PSH URG on interface outside > > This is again a false positive from NMAP. > > It looks to me like the PIX is logging as it should. > > -- > ----------------------------------------- > Michael Janke > Director, Network Services > Minnesota State Colleges and Universities > ----------------------------------------- > > > > --__--__-- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
