firewall-wizards digest, Vol 1 #1607 - 9 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...) (Brian Loe)
2. Re: Ok, so now we have a firewall, we're safe, right? (R. DuFresne)
3. "VLAN jumping" attack? (Scott Stursa)
4. Strange Pix behavior. (George J. Jahchan, Eng.)
5. Re: Ok, so now we have a firewall, we're safe, right? (R. DuFresne)
6. so much for "deny all" (Tina Bird)
7. Host based vs network firewall in datacenter (Zurek, Patrick)
8. RE: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? (FirewallAdmin)
9. Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...) (R. DuFresne)

--__--__--

Message: 1
From: "Brian Loe" <knobdy@stjoelive.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
Date: Sun, 5 Jun 2005 12:50:48 -0500

Has no one here gotten further with their boss in security discussions since
SOX was passed? I have found that in my current position, SOX is pretty much
all I have to mention to get an immediate response, and a friend, working as
a mid-level manager himself, was constantly spammed by his boss in regards
to SOX compliance.

To be honest, I'm new to SOX so I don't even understand everything that it
involves, but it seems those responsible for information security can be
held personally responsible. That's a level of accountability that I might
not completely agree with in terms of my philosophy on government, but its
one that we should all consider a good start, right?

> >But I've paid for that. Two months ago he did a performance
> appraisal
> >on me, giving me the first "unsatisfactory" rating I've
> received in 26
> >years of working for the university. I'm on probabtion and having to
> >document literally every minute of my day. Not that it will make any
> >difference - I fully expect to be unemployed when my
> contract expires in August.
> >
> >This is the price I'm paying for *not* being a "sissy".
>
> That sucks! I mean, it is quite possible he is just the
> breed of pencil-neck career-monkey that occur so often in the
> wild and you would never be able to live with him, anyway,
> but this is precisely the kind of situation that occurs again
> and again and grinds us down as a group. Of course it's
> grinding you now specificially, but I bet you a bottle of
> Jameson's that you end up making more money this time next
> year than you are now (and maybe more than your petty boss
> :-) and enjoy your work more.
>
> I've been following the accountability thread, and it occurs
> to me that the one thing we desparately lack is the ability
> to deliver good practices that people can follow and be held
> accountable for following. In a Perfect World it would be a
> piece of paper that Scott could take to his boss's boss and
> say "I insisted we follow this, as is my responsibility, and
> Rung Lemur here is all pissy about it."
>

--__--__--

Message: 2
Date: Mon, 6 Jun 2005 15:48:56 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Organization: sysinfo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[SNIP]

>
> I *still* contend that removing the execute bit from attachments saved on
> MS desktops would give everyone lots more time to deal with credible and
> actual threats, rather than the noise that's become a threat simply
> because of the volume. But I suppose if you spend years forcing your
> loader to load and execute any manner of garbage as happily as it can,
> you'd probably be resistant to that too...
>

The most common reason I have come across for companies not removing the
exe bit, or even putting such attachments into some quarantine, is that
it ends up costing at the help desk. Goes back to user training and
education, which as Tina mentioned in another post, is a non-win issue...

Now, Management training and education, that's the game that might help,
though I tend to regard management as a cog in the wheels as well, from
experience.

Thanks,

Ron Dufresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCpKirst+vzJSwZikRAgBmAJ4rwRQfN0BuvQwSMMOOSx8PCJ2TmgCg3NCJ
tYLPwGwtquIKvHt2Nt9S/C4=
=Esoe
-----END PGP SIGNATURE-----

--__--__--

Message: 3
Date: Mon, 6 Jun 2005 16:01:54 -0400 (EDT)
From: Scott Stursa <stursa@mailer.fsu.edu>
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] "VLAN jumping" attack?

I recently configured a PIX to treat a customer's network as a series of
discrete VLANs, each of which corresponds to functional groupings of hosts
(i.e., DMZ, desktops, internal-use-only servers, etc.) tailoring the ACLS
accordingly. I'd planned to configure the interface as a pure trunk, with
no IP address or VLAN assigned to the physical interface, and all the
VLANs assigned to logical interfaces in turn assigned to the physical
interface. I know this works, because I set up a lab implementation about
a year ago.

However, before I got started, I decided to review the PIX Config Guide,
where I found:

In the attack called "jumping VLANs" an attacker injects packets
onto other VLANs from the native VLAN. To prevent this attack,
never allow access to a native VLAN from any untrusted network.
For maximum security, we recommend avoiding the use of native
VLANs altogether when deploying VLANs in a secure environment.
It is permitted to use native VLANs with the PIX Firewall, but
you should clearly understand the security implications.

To prevent the forwarding of traffic from the PIX Firewall onto
the native VLAN of a switch, use the interface physical command
to assign a VLAN ID (other than VLAN 1) to the physical interface
of the PIX Firewall. Be careful to assign a VLAN ID that is
different from whatever VLAN ID is assigned to the native VLAN on
the switch.

(see
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1116065
)

So I set it up like:

interface ethernet1 vlan1702 physical
interface ethernet1 vlan376 logical
interface ethernet1 vlan377 logical
interface ethernet1 vlan1703 logical
interface ethernet1 vlan1704 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan376 desktops security70
nameif vlan377 DMZ security50
nameif vlan1703 lab security40
nameif vlan1704 vpn-and-dialups security20
ip address outside 128.186.x.x 255.255.255.248
ip address inside 128.186.n+1.33 255.255.255.224
ip address desktops 128.186.n.1 255.255.255.0
ip address DMZ 128.186.n+1.1 255.255.255.240
ip address lab 128.186.n+1.65 255.255.255.192
ip address vpn-and-dialups 128.186.n+1.129 255.255.255.192

The "inside" network, VLAN1702, the one assigned to the physical
interface, is the location of internal-use-only servers.

Ethernet1 attaches to a Foundry 2402 switch, wherein the "default VLAN" is
1 (apparently "default VLAN" is Foundryspeak for "native VLAN"). The
Foundry has the port defined as a "tagged" link ("trunk" in Ciscospeak).

This was working fine until about two weeks ago when users started
reporting "drop outs" and broken TCP sessions. A network engineer and I
investigated and found this was happening when one of the servers on the
inside net failed. The Foundry's reaction to this was to declare a
"Topology Change Event" and reset every port on the same VLAN. This had
the effect of killing ALL sessions going over the link to the PIX, even
those not going to the "inside" network.

The "band-aid" solution was to disable Spanning Tree Protocol for the
"inside" net VLAN (this was done on the Foundry). The problem ceased and
the users are happy[1].

The engineer wants to restore STP, and thinks he can configure the Foundry
to match the PIX's config. My reading of Foundry documentation leaves me
wondering how this would be done, and I've been trying to get back with
the guy to discuss this option further. I'm wondering if it's really
possible, and even if it theoretically is, whether the two vendor's
interpretations of the 802.1Q standard might differ enough to create more
problems than are solved.

My inclination is to apply the KISS principle and redefine the PIX to
treat the "inside" network (VLAN1702) as just another logical network,
leaving no VLAN directly assigned to the physical interface.

But this, according to Cisco, opens us up to the "VLAN jumping" attack.

So I'm trying to understand the actual risk here. Google searches turn up
the occasional oblique reference in various ITsec mailing list archives,
but I found no actual reports of these critters.

So my question is: has anyone ever actually seen one of these in the wild?

Thanks,

- SLS

[1] well, they're still complaining about not being able to use AOL or MSN
messenger.
------------------------------------------------------------------------
Scott L. Stursa 850/644-2591
Network Security Analyst stursa@mailer.fsu.edu
OTI Enterprise Security Group Florida State University

- No good deed goes unpunished -

--__--__--

Message: 4
From: "George J. Jahchan, Eng." <Firewall-Wizards@Compucenter.org>
To: "Firewall Wizards List" <firewall-wizards@honor.icsalabs.com>
Date: Tue, 7 Jun 2005 09:57:06 +0300
Subject: [fw-wiz] Strange Pix behavior.

We are using a pair of failover Pix 515s, and are consistently seeing denied
return traffic that theoretically should have been allowed.

Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For
the allowed outbound protocols like http, we are seeing (on weekdays) anywhere
between 25,000 and 45,000 denials originating from web server addresses on the
Internet port 80 to the NAT'ed IP address of LAN users. This is the return
traffic in response to requests that originated from the LAN.

Sample log entry follows:
... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by
access-group "WAN"

The corresponding rule in the LAN access-group is:
access-list LAN permit tcp host X.X.X.X gt 1023 any eq www

Not all traffic is blocked, only part of it, seemingly at random, otherwise no
one would have been able to surf the web, which is not the case.

We are also seeing denials generated by the return traffic of other allowed
outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem
to be proportional to the overall number of requests for each protocol.

On week-ends when the traffic is very low, we are still seeing denials, in
numbers proportional to overall requests.

We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10%
and memory < 25%).

The Cisco reseller has not come through with a credible explanation for this
behavior or made suggestions on course of action for diagnosing the problem.

Can anyone on this list help?

--__--__--

Message: 5
Date: Tue, 7 Jun 2005 03:00:27 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
Fritz Ames <fritzames@earthlink.net>, Ben Nagy <ben@iagu.net>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Organization: sysinfo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[SNIP]

>
> Good thing I scrolled down to find it! It's pretty well hidden for a
> "strong" recommendation. Took me 15 minutes to find, and that's all I was
> searching for.
>

I wrote a few papers on wifi products a few years ago, and mentioned that
anything at all to do with securing these devices tends to be hidden, if
covered at all, and only touched on the the briefest sense, deep down in
the documentation. So, nothing has changed in recent times, cool to note
the consistency.

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCpUYOst+vzJSwZikRAhKFAJ9x9rdyONzvg/BeBXiY2jq/SruB/wCdGgPB
RcUGGqc70qMVsCQNoaEC574=
=x1fI
-----END PGP SIGNATURE-----

--__--__--

Message: 6
From: "Tina Bird" <tbird@precision-guesswork.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 7 Jun 2005 09:41:26 -0700
Subject: [fw-wiz] so much for "deny all"

From the TechTarget coverage of the Gartner Security Summit this week:

"Next generation firewalls that do deep-packet inspections from vendors =
like
Juniper Networks, Check Point and Fortinet employ a heuristics engine =
and
allow all network traffic and behavior, except those which policy says =
it
must block. Most enterprises, however, refresh their firewall purchases =
on a
three- to five-year cycle and that makes it challenging to synch new
features."

*sigh*

<http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid=
45_
gci1095755,00.html?track=3DNL-122&ad=3D518233> (site requires free =
registration)

--__--__--

Message: 7
Date: Tue, 7 Jun 2005 12:33:53 -0500
From: "Zurek, Patrick" <pzurek@uillinois.edu>
To: <firewall-wizards@honor.icsalabs.com>
Subject: [fw-wiz] Host based vs network firewall in datacenter

Hi all,
I graduated from university not long ago and assumed my first job as =
network administrator in a small datacenter. I've been lurking here for =
a while and reading the archives. I've learned a lot from what many of =
you have had to say, but I'm having difficulty making the jump from the =
theory behind the way things should be run (ie. the network design maps =
that show the little switch, router & firewall symbols) and the =
practical applications of that. I was also reluctant to make this post =
in fear of getting flamed for having what will come across as a cluess =
attitude about network security. Instead of flaming, please correct me, =
I want to learn.

I'd like to solicit some advice on a firewall implementation. Our =
solaris only site has two main components, a web presence which connects =
to a backend application running on top of Oracle, and a custom =
application (which unfortunately also runs on the same host as the =
database) to which our clients connect. So all our servers need to be =
internet facing including the database. Our servers range from small =
Sun V100s to a F15k. We do not have a firewall or a NIDS and we do not =
have administrative control of the router on which to apply stateless =
ACLs. This was the situation when I arrived. Fortunately, our hosts =
are properly configured and reasonably hardened by a competent system =
adminstrator. Just recently I've had some luck with management in =
getting a span port enabled on the switch - in a month or so I hope to =
have up a BSD monitoring platform running snort/sguil off a dedicated =
tap.

These are the options as I see them:
1) Wide open - keep the hosts locked down tight and keep open services =
to a minimum.
2) Host based firewall - put ipf on the hosts
3) Network firewall behind the router - ???

1) Does not seem feasible to continue to operate this way.

2) As a short term measure I have applied ipfilter on several of our non =
production hosts. My manager has began to advocate putting it on all =
production systems now (about 15 hosts). At first I thought this would =
be a bad idea, as a network firewall would ease administration and =
having to administer seperate rule sets for each server would be =
unwieldy. However, after reading the opinions of certain members of the =
list, I'm at a loss as to how to proceed. I don't want to purchase =
something like:

"- Some of the products we're buying simply don't work
- Some of the products we're buying aren't being used
properly
- There is no correlation between cost and effectiveness
of security products"

as MJR said last week. I'm interested in using the right tool for the =
job. Is ipf on a production Sun 15k a good idea?

3) This option is good because it will allow us to apply stateless ACLs =
at the gateway and centralize the management of firewall functions.

Bearing in mind that I'm still relatively new to this, and that I'm =
having trouble bridging the gap between the way security should be done, =
and actually implementing it, I'd appreciate any advice and help.

Thanks for reading,

Pat

--__--__--

Message: 8
From: "FirewallAdmin" <firewalladmin@bellsouth.net>
To: "Darren Reed" <darrenr@reed.wattle.id.au>,
"Paul D. Robertson" <paul@compuwar.net>
Cc: "Chuck Swiger" <chuck@codefab.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
Date: Sat, 4 Jun 2005 16:48:49 -0400

-------------------------------------------------------------------
Rather, security needs to be integrated and designed in. Risks need
to be investigated, understood and documented from the outset and
mitigated where necessary. However, this doens't address the problem
of "software bugs" so we need to find ways to manage that. Isolating
the execution environment (this includes disk as well as memory) of
something considered risky - e.g. any web browers - is something to
think about and can be achieved, in part, on all unixes today, albeit
.the browser may lose some usefullness. So we need to do a better job
of achieving that. As with the web, so too with any popular technology

We should think about ways in which we can achieve better security and
functionality, at the same time, without tradeoffs and look at how we
can develop solutions to achieve this.
-------------------------------------------------------------------

Honestly Darren, who is "chest beating", "old hat" and "stale" now?

Mark

--__--__--

Message: 9
Date: Wed, 8 Jun 2005 19:54:13 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Chris Blask <chris@blask.org>
Cc: Scott Stursa <stursa@mailer.fsu.edu>,
"Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
Organization: sysinfo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Let's see the CIO for my present employer won, I believe the ISE award
last fall, and her competition consisted of the CISO for the now infamous
choicepoint amongst others. I'd say much more, but well, let it rest
with my <cough> congrats on this 'award'...

Point being, we tend to award those that demonstrate minor accomplishments
in this industry, at this time, overlooking that high profile systems and
project these folks manage are fraught with exposures, compromises, and
latent lack of accountability, so the processes to clean up are down the
road of enlightenment.

And, yes, I'm trying to be as obtuse as possible here to avoid being made
a scapegoat once again...

Thanks,

Ron DuFresne

On Thu, 2 Jun 2005, Chris Blask wrote:

>
> Hey, Scott!
>
> At 04:28 PM 6/2/2005, Scott Stursa wrote:
>
> .d.
>> So I held my ground and we did it my way. The result - no compromised
>> hosts since then (beginning of March).
>>
>> But I've paid for that. Two months ago he did a performance appraisal on
>> me, giving me the first "unsatisfactory" rating I've received in 26 years
>> of working for the university. I'm on probabtion and having to document
>> literally every minute of my day. Not that it will make any difference - I
>> fully expect to be unemployed when my contract expires in August.
>>
>> This is the price I'm paying for *not* being a "sissy".
>
> That sucks! I mean, it is quite possible he is just the breed of pencil-neck
> career-monkey that occur so often in the wild and you would never be able to
> live with him, anyway, but this is precisely the kind of situation that
> occurs again and again and grinds us down as a group. Of course it's
> grinding you now specificially, but I bet you a bottle of Jameson's that you
> end up making more money this time next year than you are now (and maybe more
> than your petty boss :-) and enjoy your work more.
>
> I've been following the accountability thread, and it occurs to me that the
> one thing we desparately lack is the ability to deliver good practices that
> people can follow and be held accountable for following. In a Perfect World
> it would be a piece of paper that Scott could take to his boss's boss and say
> "I insisted we follow this, as is my responsibility, and Rung Lemur here is
> all pissy about it."
>
> o I know good classes are being taught, but obviously it isn't enough and/or
> we have other issues (and Quantity < Need, certainly).
> - The scale thing is certainly a big part of the problem, even most CTOs are
> working with a barbaric understanding of security.
> - the sheer newness of all this IP stuff (and buried in that is their first
> confrontation with Security) creates a dynamic load of issues for any CTO
> doing their job, so even the very few who have had a first-hand conversation
> with a well-spoken Clue Club Member most likely never hear the wisdom again
> and the message is plowed under.
> - I'd like to find some one-liner to address the problem, but it looks like
> just lots more work developing and delivering education (pick a medium) and
> allowing the passage of time to inculcate the masses with some experience.
>
> - One metric that gives me hope on the Edumacation front is my endless
> Brownian Public Survey, and I see the savvy-factor in the average Joe going
> up consistently. I poll people ceaselessly about (well, everything, but
> among that:) their interaction with information technology. I still can't
> have an in-depth useful conversation about security with the least capable of
> computer clickers, but today those folks are now the very last of the
> living-in-the-woods (literally) people who said they would "never own a
> confuser". Mom still has a hard time following the thread if I get too
> enthusiastic about details, but she gets all the basics and can apply them to
> her own experiences using 'puters and the net. The average
> plane-seat-neighbor can usually play a good foil for thinking out loud about
> an issue - but it's always the first time they've considered it that closely,
> even if they are IT folks.
>
> o Product classes and categories have shifted around enough that even we
> have to pay attention, everyone else is like the cancer patient listening to
> two doctors disagree on his treatment.
>
> o There obviously isn't a given Best Practices Precedent out there, or
> lawyers would have found it and sued the crap out of people by now. Without
> such precedent, it's impossible to hold management types accountable for
> following it, and it's impossible to nail mismanagement mid-weasles like
> Scott's boss for gross incompetence. We could use a good sue-able
> precendent...
>
> o Auditing tools need to get better. If it could be clearly shown that a
> commonly accepted practice was not followed, leading to losses to the
> oragnization involved, then the accountability chain can be established and
> Paul's lawyerfests can be directed at creating Darwinistic impulses among
> CTOs, and thereby creating same in high-expectation-having, upward-managing,
> lickspittles like Scott's Uberviser. Fixing auditing is not my problem
> anymore at the moment, but Marcus and tbird and Partha and the rest need to
> keep plugging until the next Scott can have a leg to stand on against his
> Hindmost.
>
> Scott's boss still needs a swift kick. I'm leaving for Disney tomorrow, can
> I stop by and rough him up for you... :-)
>
> -grrrrr
>
> -chris
>
> PS - somebody get Scott a better job!
>
>
> Chris Blask
> chris@blask.org
> http://blaskworks.blogspot.com
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCp4Uqst+vzJSwZikRAjMBAJ4jtvLZCka1pPqUYEYiuvr//XXz2ACgxWEm
bnK6RMCD3/l0I9FWENxS+oU=
=jvDr
-----END PGP SIGNATURE-----

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest