Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Strange Pix behavior. (Victor Williams)
2. Re: Ok, so now we have a firewall, we're safe, right? (Dave Piscitello)
--__--__--
Message: 1
Date: Fri, 10 Jun 2005 10:28:46 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
To: "George J. Jahchan, Eng." <Firewall-Wizards@Compucenter.org>
Cc: Firewall Wizards List <firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] Strange Pix behavior.
Three words; not enough info.
I only have three questions. What PIX OS are you using? Why didn't you
post your cleansed config? Why didn't you call Cisco directly (assuming
you have any type of support contract) instead of calling the reseller?
This is something the support contract gives you...free help until the
problem is solved.
Of all the manufacturers that I've dealt with out there, Cisco is by far
the most responsive, and anyone you talk to past the helpdesk knows
backwards and forwards what they're talking about.
George J. Jahchan, Eng. wrote:
> We are using a pair of failover Pix 515s, and are consistently seeing denied
> return traffic that theoretically should have been allowed.
>
> Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For
> the allowed outbound protocols like http, we are seeing (on weekdays) anywhere
> between 25,000 and 45,000 denials originating from web server addresses on the
> Internet port 80 to the NAT'ed IP address of LAN users. This is the return
> traffic in response to requests that originated from the LAN.
>
> Sample log entry follows:
> ... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by
> access-group "WAN"
>
> The corresponding rule in the LAN access-group is:
> access-list LAN permit tcp host X.X.X.X gt 1023 any eq www
>
> Not all traffic is blocked, only part of it, seemingly at random, otherwise no
> one would have been able to surf the web, which is not the case.
>
> We are also seeing denials generated by the return traffic of other allowed
> outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem
> to be proportional to the overall number of requests for each protocol.
>
> On week-ends when the traffic is very low, we are still seeing denials, in
> numbers proportional to overall requests.
>
> We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10%
> and memory < 25%).
>
> The Cisco reseller has not come through with a credible explanation for this
> behavior or made suggestions on course of action for diagnosing the problem.
>
> Can anyone on this list help?
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
Message: 2
From: "Dave Piscitello" <dave@corecom.com>
To: "Paul D. Robertson" <paul@compuwar.net>,
"R. DuFresne" <dufresne@sysinfo.com>
Date: Fri, 10 Jun 2005 11:45:46 -0400
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Reply-To: dave@corecom.com
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
Fritz Ames <fritzames@earthlink.net>, Ben Nagy <ben@iagu.net>,
firewall-wizards@honor.icsalabs.com
To a great extent, hiding complexity is intentional, and IMO a
reaction to the scathing criticisms hurled at vendors time and again
regarding product and UI complexity.
Some folks on this list recall configuring ISDN adapters and bridge-
routers, or early V. modems. The survivors from the "your UI bites!
You can't expect our 10,000 reasonably intelligent users much less a
consumer to change dipswitch settings and enter command line
jibberish! We need something *intuitive* and *plug-and-play* or we'll
take our business elsewhere" era are IMO permanently traumatized into
believing they can't expose complexity (or they conceded long ago,
made killings giving the customer what he thought he wanted, and are
sipping champagne in sunny surrounds while we debate on maillists).
I feel as if we're arguing over the road *not* travelled
(distinguished from the road *less* travelled). I'm increasingly
skeptical that it's possible to go back to the crossroad and make
"secure" a priority over "easy". Too few people actually care, and
our culture/society becomes more comfortable each day with solutions
that absorb and amortize losses rather than mitigate them. Financials
don't invest in stronger identity theft protection while their costs
of doing business can tolerate loss. When losses exceed "tolerable"
they still don't look for something bullet-proof, only something that
reduces loss to below the magic threshold of "tolerable".
My experience is that consumers, SMBs, and enterprises don't put even
this much effort into assessing and mitigating risk. I might be in
the minority, but the fact that 4 of 5 APs are still run wide open is
as much an embarrassment to users as vendors.
Our hands have to be placed on hot (regulatory) coals to implement
security. Even then we procrastinate and lobby to reduce the
requirements *and* accountability - and ask vendors to automate and
hide complexity. Automation and security aren't good bedfellows.
Where security is involved, otherwise rationale adults devolve into
whining, rebellious, scheming, negotiating adolescents. The critical
parent (regulatory) social style isn't working. The nurturing parent
style isn't working. If you've know a way to create adult-adult
conversations on the topic of network security, I'm eager to hear
them.
On 7 Jun 2005 at 3:00, R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> [SNIP]
>
> >
> > Good thing I scrolled down to find it! It's pretty well hidden for
> > a "strong" recommendation. Took me 15 minutes to find, and that's
> > all I was searching for.
> >
>
> I wrote a few papers on wifi products a few years ago, and mentioned
> that anything at all to do with securing these devices tends to be
> hidden, if covered at all, and only touched on the the briefest sense,
> deep down in the documentation. So, nothing has changed in recent
> times, cool to note the consistency.
>
> Thanks,
>
> Ron DuFresne
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
> -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFCpUYOst+vzJSwZikRAhKFAJ9x9rdyONzvg/BeBXiY2jq/SruB/wCdGgPB
> RcUGGqc70qMVsCQNoaEC574=
> =x1fI
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment