Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Strange Pix behavior. (LazloCarreidas@netscape.net)
2. RE: Ok, so now we have a firewall, we're safe, right? (Brian Loe)
3. Re: so much for "deny all" (Dave Piscitello)
4. Re: Host based vs network firewall in datacenter (Devdas Bhagat)
5. Re: so much for "deny all" (Adam Jones)
6. Re: Host based vs network firewall in datacenter (Victor Williams)
--__--__--
Message: 1
Date: Fri, 10 Jun 2005 11:57:52 -0400
From: LazloCarreidas@netscape.net
To: Firewall-Wizards@Compucenter.org ("George J. Jahchan, Eng.")
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Strange Pix behavior.
George,
We met the same issue on our firewalls about one time ago, over 6.3.1
Reseller and Cisco TAC were not able to solve the case other than by answering: "upgrade to the latest version and try", which we finally did.
Version 6.3.4 did solve the problem... so have a try.
Kind regards
Lazl�
=====
We are using a pair of failover Pix 515s, and are consistently seeing denied
return traffic that theoretically should have been allowed.
Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For
the allowed outbound protocols like http, we are seeing (on weekdays) anywhere
between 25,000 and 45,000 denials originating from web server addresses on the
Internet port 80 to the NAT'ed IP address of LAN users. This is the return
traffic in response to requests that originated from the LAN.
Sample log entry follows:
... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by
access-group "WAN"
The corresponding rule in the LAN access-group is:
access-list LAN permit tcp host X.X.X.X gt 1023 any eq www
Not all traffic is blocked, only part of it, seemingly at random, otherwise no
one would have been able to surf the web, which is not the case.
We are also seeing denials generated by the return traffic of other allowed
outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem
to be proportional to the overall number of requests for each protocol.
On week-ends when the traffic is very low, we are still seeing denials, in
numbers proportional to overall requests.
We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10%
and memory < 25%).
The Cisco reseller has not come through with a credible explanation for this
behavior or made suggestions on course of action for diagnosing the problem.
Can anyone on this list help?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register
Netscape. Just the Net You Need.
New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
--__--__--
Message: 2
From: "Brian Loe" <knobdy@stjoelive.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Date: Fri, 10 Jun 2005 12:57:34 -0500
Have you noticed how TSA treats security post 9/11? No thanks, I don't want
the government telling us how we have to conduct business. These things get
ironed out, every day, the way they should: someone loses something due to
someone else's neglect or negligence, that person gets sued/goes to jail.
If your charged with security the best you can do is document everything you
do and why - including those things proposed to management that were shot
down - and move on. Your responsibility is to carry out the wishes of your
company and if they don't correspond with your morals or ethics you're free
to quit, and you should.
This, like so many other things, is about personal responsibility, not
government control.
As for financial companies that only reduce risk enough to make it
"tolerable", they'll get along with it until either their board, their
shareholders or their customers hold their feet to the fire. And, as you
say, most people don't care so that's not likely to happen soon - so what?
Why do you care? Protect yourself and be happy, right?
> Our hands have to be placed on hot (regulatory) coals to
> implement security. Even then we procrastinate and lobby to
> reduce the requirements *and* accountability - and ask
> vendors to automate and hide complexity. Automation and
> security aren't good bedfellows.
>
> Where security is involved, otherwise rationale adults
> devolve into whining, rebellious, scheming, negotiating
> adolescents. The critical parent (regulatory) social style
> isn't working. The nurturing parent style isn't working. If
> you've know a way to create adult-adult conversations on the
> topic of network security, I'm eager to hear them.
--__--__--
Message: 3
From: "Dave Piscitello" <dave@corecom.com>
To: "Tina Bird" <tbird@precision-guesswork.com>
Date: Fri, 10 Jun 2005 14:21:09 -0400
Subject: Re: [fw-wiz] so much for "deny all"
Reply-To: dave@corecom.com
Cc: firewall-wizards@honor.icsalabs.com
This is very good publicity for firewall vendors not in the list who
provide a default "DENY ALL" in policy configuration. I'll enjoy
tormenting friends at these companies over this:-)
But the 2nd statement is very odd, don't you think? Not only is it
remarkably difficult to parse, but it flies in the face of (my)
experience.
Taking the source with a grain of salt, I find it hard to believe
that most enterprises change security vendors every five years.
Perhaps 100% of my clients buck this trend. Upgrades, yes.
Forklifting firewalls? I have yet to see this except in circumstances
where the prior firewall failed pitifully in enforcing policy.
On 7 Jun 2005 at 9:41, Tina Bird wrote:
> >From the TechTarget coverage of the Gartner Security Summit this
> >week:
>
> "Next generation firewalls that do deep-packet inspections from
> vendors like Juniper Networks, Check Point and Fortinet employ a
> heuristics engine and allow all network traffic and behavior, except
> those which policy says it must block. Most enterprises, however,
> refresh their firewall purchases on a three- to five-year cycle and
> that makes it challenging to synch new features."
--__--__--
Message: 4
Date: Sat, 11 Jun 2005 00:12:58 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Host based vs network firewall in datacenter
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 07/06/05 12:33 -0500, Zurek, Patrick wrote:
> Hi all,
> I graduated from university not long ago and assumed my first job as
> network administrator in a small datacenter. I've been lurking here for
> a while and reading the archives. I've learned a lot from what many of
> you have had to say, but I'm having difficulty making the jump from the
> theory behind the way things should be run (ie. the network design maps
> that show the little switch, router & firewall symbols) and the practical
> applications of that. I was also reluctant to make this post in fear
> of getting flamed for having what will come across as a cluess attitude
> about network security. Instead of flaming, please correct me, I want
> to learn.
I haven't seen too many flames on posters here asking questions :).
>
> I'd like to solicit some advice on a firewall implementation. Our
> solaris only site has two main components, a web presence which connects
> to a backend application running on top of Oracle, and a custom
> application (which unfortunately also runs on the same host as the
> database) to which our clients connect. So all our servers need to
> be internet facing including the database. Our servers range from
Is there any possibility of moving the custom application off the
database? Is there any possibility of moving the application to an
easily proxied protocol?
> small Sun V100s to a F15k. We do not have a firewall or a NIDS and we
> do not have administrative control of the router on which to apply
> stateless ACLs. This was the situation when I arrived. Fortunately,
> our hosts are properly configured and reasonably hardened by a
> competent system adminstrator. Just recently I've had some luck
> with management in getting a span port enabled on the switch - in a
> month or so I hope to have up a BSD monitoring platform running
> snort/sguil off a dedicated tap.
>
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services
> to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
>
> 1) Does not seem feasible to continue to operate this way.
>
Keeping the hosts locked down tight, and open services to a minimum is a
good idea. If possible, have Oracle only listen to a Unix socket, or the
loopback interface.
> 2) As a short term measure I have applied ipfilter on several of our
> non production hosts. My manager has began to advocate putting it on
> all production systems now (about 15 hosts). At first I thought this
> would be a bad idea, as a network firewall would ease administration
> and having to administer seperate rule sets for each server would be
How about a *BSD box in front with stateful firewalling rules, and some
additional rules on each host?
> unwieldy. However, after reading the opinions of certain members of
> the list, I'm at a loss as to how to proceed. I don't want to purchase
> something like:
>
> "- Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
> properly
> - There is no correlation between cost and effectiveness
> of security products"
>
> as MJR said last week. I'm interested in using the right tool for the job.
> Is ipf on a production Sun 15k a good idea?
>
> 3) This option is good because it will allow us to apply stateless ACLs
> at the gateway and centralize the management of firewall functions.
>
> Bearing in mind that I'm still relatively new to this, and that I'm having
> trouble bridging the gap between the way security should be done, and
> actually implementing it, I'd appreciate any advice and help.
1> Define a policy.
2> Write it down.
3> Map the policy to your firewalling rules. This includes deciding what
traffic to allow on what ports, and what protocols you need to proxy.
Consider implementing a reverse proxy with squid, filtering out unusual
URLs at a minimum.
Devdas Bhagat
--__--__--
Message: 5
Date: Fri, 10 Jun 2005 13:50:51 -0500
From: Adam Jones <ajones1@gmail.com>
Reply-To: Adam Jones <ajones1@gmail.com>
Subject: Re: [fw-wiz] so much for "deny all"
Cc: firewall-wizards@honor.icsalabs.com
Just because they sell it does not mean you have to buy it. You can
still do deny all to your heart's content and let the people who need
(or think they need) the big expensive smarter-than-me firewall buy
that.
On 6/7/05, Tina Bird <tbird@precision-guesswork.com> wrote:
> From the TechTarget coverage of the Gartner Security Summit this week:
>=20
> "Next generation firewalls that do deep-packet inspections from vendors l=
ike
> Juniper Networks, Check Point and Fortinet employ a heuristics engine and
> allow all network traffic and behavior, except those which policy says it
> must block. Most enterprises, however, refresh their firewall purchases o=
n a
> three- to five-year cycle and that makes it challenging to synch new
> features."
>=20
> *sigh*
>=20
> <http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid=
45_
> gci1095755,00.html?track=3DNL-122&ad=3D518233> (site requires free regist=
ration)
>=20
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
Message: 6
Date: Fri, 10 Jun 2005 10:53:33 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
To: "Zurek, Patrick" <pzurek@uillinois.edu>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Host based vs network firewall in datacenter
My opinion is that anything you can do is better than nothing.
I often come across people who KNOW what's wrong with their
implementations, and they bury their head in the sand regarding it. I
am glad to see you are not one of those people.
I think one thing you are asking is how, regarding the network, do I
make this implementation better. I think you are on the right track.
However, as someone concerned about security, I don't think you should
limit yourself to that line of thinking. There are best-practices you
should adhere to when putting together a system like this. I might pose
the question of how difficult would it be to separate the application
layer from the data layer in your environment, and what would you gain
from doing so? I think app and data residing on the same machine is
generally a bad idea...not from just a data security standpoint, but if
I lose my application server for whatever reason (lightning), guess
what? My data is fried as well. It is always better in my opinion (not
necessarily from *security to keep other people out* point of view) to
keep all your eggs in different baskets.
In addition, I for one use firewalls/IDS of some sort on any/all
applicable servers. I've also written my own scripts to automate the
functionality of them if applicable...so I don't have to keep disparate
rulesets on them all.
Also, think accountability. Even if you can't put more *security
controls* in place, do you believe you can track down a security breach
if it happened? Is there enough applicable logging going on to see
who/what caused your breach? Do you have the knowledge to use all this
logging to your advantage?
Being originally from the gov't sector myself in the USDA, I often found
that we needed to put security controls in place to give us
accoutability and to prevent our machines from being used as
repositories for unnecessary stuff...*hackers* tried to break in to use
our servers as free space areas for whatever...not necessarily stealing
our data because it was public domain data (GIS hi-res satellite
pictures) anyway. Where I'm going here, is your application of whatever
will depend on what you're trying to protect and why. Since moving on
to my current job, my application of security controls has changed
because the data I'm protecting is different, and the motives for
getting it would be completely different.
Before you just decide to turn on a firewall here and there, you need to
ask yourself why you're turning it on in the first place (not saying you
don't need it), and ask yourself what you're trying to protect.
Personally, I would be more worried about the way your application is
architected than firewalls at this point.
Zurek, Patrick wrote:
> Hi all,
> I graduated from university not long ago and assumed my first job as network administrator in a small datacenter. I've been lurking here for a while and reading the archives. I've learned a lot from what many of you have had to say, but I'm having difficulty making the jump from the theory behind the way things should be run (ie. the network design maps that show the little switch, router & firewall symbols) and the practical applications of that. I was also reluctant to make this post in fear of getting flamed for having what will come across as a cluess attitude about network security. Instead of flaming, please correct me, I want to learn.
>
> I'd like to solicit some advice on a firewall implementation. Our solaris only site has two main components, a web presence which connects to a backend application running on top of Oracle, and a custom application (which unfortunately also runs on the same host as the database) to which our clients connect. So all our servers need to be internet facing including the database. Our servers range from small Sun V100s to a F15k. We do not have a firewall or a NIDS and we do not have administrative control of the router on which to apply stateless ACLs. This was the situation when I arrived. Fortunately, our hosts are properly configured and reasonably hardened by a competent system adminstrator. Just recently I've had some luck with management in getting a span port enabled on the switch - in a month or so I hope to have up a BSD monitoring platform running snort/sguil off a dedicated tap.
>
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
>
> 1) Does not seem feasible to continue to operate this way.
>
> 2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a network firewall would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed. I don't want to purchase something like:
>
> "- Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
> properly
> - There is no correlation between cost and effectiveness
> of security products"
>
> as MJR said last week. I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea?
>
> 3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of firewall functions.
>
> Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way security should be done, and actually implementing it, I'd appreciate any advice and help.
>
> Thanks for reading,
>
> Pat
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment