Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: Host based vs network firewall in datacenter (Paul Melson)
2. Re: Ok, so now we have a firewall, we're safe, right? (Marcus J. Ranum)
3. Re: Ok, so now we have a firewall, we're safe, right? (Dave Piscitello)
4. Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? (Siju George)
5. RE: so much for "deny all" (Paul Melson)
6. RE: Ok, so now we have a firewall, we're safe, right? (Dave Piscitello)
7. Password Recovery IP330 (Mark Sargent)
--__--__--
Message: 1
From: "Paul Melson" <psmelson@comcast.net>
To: "'Zurek, Patrick'" <pzurek@uillinois.edu>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Host based vs network firewall in datacenter
Date: Mon, 13 Jun 2005 13:11:35 -0400
Pat, I think you're on the right track, but I would suggest maybe taking a
more holistic approach to your network. I don't think you've come close to
an exhaustive list of options.
For instance, option #1 is a basic hardening approach which involves
patching and disabling unneeded processes. This deals with security at the
application level. Options #2 & #3 deal with just filtering network
traffic. Is your only point of vulnerability via the network? Does it only
exist at services that are NOT in use? Or is it possible (or perhaps even
more likely) that services you want to allow through your filters are usable
attack vectors. So how about normalizing application traffic through a
proxy, or at least encryption and authentication?
Also, you mention a NIDS project you're undertaking, but what about attacks
against those systems that take place over encrypted channels or terminals
or simply aren't part of the mainstream vulnerability lexicon? What
monitoring and controls do you have to ensure that your authenticated users
are authorized users, and that those authorized users only do what they are
authorized to do? What about RBAC? Or a host-based IDS/IPS product?
I realize I've answered your questions with more questions. I hope I'm
giving you more food for thought regarding access control to your systems.
There's plenty more where that came from. :)
You have a lot of bases to cover and a lot of things to consider beyond the
three options you list below, all of which serve to reduce the risks of
compromise and loss.
PaulM
PS - Since I hate the answer I just gave you, if you want my non-refundable
$0.02 worth of advice, go with #1 AND #2. Of the options you're already
considering, I think that gives you the most direct benefit.
-----Original Message-----
Subject: [fw-wiz] Host based vs network firewall in datacenter
These are the options as I see them:
1) Wide open - keep the hosts locked down tight and keep open services to a
minimum.
2) Host based firewall - put ipf on the hosts
3) Network firewall behind the router - ???
1) Does not seem feasible to continue to operate this way.
2) As a short term measure I have applied ipfilter on several of our non
production hosts. My manager has began to advocate putting it on all
production systems now (about 15 hosts). At first I thought this would be a
bad idea, as a network firewall would ease administration and having to
administer seperate rule sets for each server would be unwieldy. However,
after reading the opinions of certain members of the list, I'm at a loss as
to how to proceed. I don't want to purchase something like:
"- Some of the products we're buying simply don't work
- Some of the products we're buying aren't being used
properly
- There is no correlation between cost and effectiveness
of security products"
as MJR said last week. I'm interested in using the right tool for the job.
Is ipf on a production Sun 15k a good idea?
3) This option is good because it will allow us to apply stateless ACLs at
the gateway and centralize the management of firewall functions.
Bearing in mind that I'm still relatively new to this, and that I'm having
trouble bridging the gap between the way security should be done, and
actually implementing it, I'd appreciate any advice and help.
--__--__--
Message: 2
Date: Mon, 13 Jun 2005 15:13:36 -0400
To: "R. DuFresne" <dufresne@sysinfo.com>,
Dave Piscitello <dave@corecom.com>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Cc: "Paul D. Robertson" <paul@compuwar.net>,
Fritz Ames <fritzames@earthlink.net>, Ben Nagy <ben@iagu.net>,
firewall-wizards@honor.icsalabs.com
R. DuFresne wrote:
>Failing to do so moves liability out of the end users realm, even Marcus would have to agree there.
I couldn't agree more - if a vendor misrepresents their product they
should be held accountable. There are agencies of the government
that are already responsible for enforcing truth-in-advertising rules,
and there are precendent-setting decisions that hold the vendors
liable in such circumstances.
In the field of software, we have 2 problems - one: the truth
in advertising rules are not being enforced effectively, and
two: "shrink wrap" licensing has been upheld as a way of
releasing vendors for all responsibility - even the consequences
of their outright lies.
Outright lies? Isn't that a bit severe? Well, I give you one
case in point: I recently re-installed Windows XP on my
desktop machine (my annual "clean scrape") and as it was
installing (and on the product box) Microsoft touted XP as
a way to "quickly and securely access the Internet" Oh. Really?
mjr.
--__--__--
Message: 3
From: "Dave Piscitello" <dave@corecom.com>
To: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Date: Mon, 13 Jun 2005 17:09:30 -0400
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Reply-To: dave@corecom.com
We collapsing threads
1) misrepresentation/deception and accountability
This is what Ron's reply to my email mentioned. I think we all agree.
This is plain bad acting and it really would be refreshing to see
someone apply laws commonly enforced in the brick-and-mortar world to
the virtual world. Add it to the list of things I want to see before
I die.
2) Hiding complexity versus hiding the truth about a product
I spoke of hiding complexity in my email - putting grep/awk/sed
behind a GUI is very different from not documenting that "left set to
factory default settings, our device accepts incoming ftp connections
from guest accounts with no password enforcement."
On 13 Jun 2005 at 15:13, Marcus J. Ranum wrote:
> R. DuFresne wrote:
> >Failing to do so moves liability out of the end users realm, even
> >Marcus would have to agree there.
>
> I couldn't agree more - if a vendor misrepresents their product they
> should be held accountable. There are agencies of the government that
> are already responsible for enforcing truth-in-advertising rules, and
> there are precendent-setting decisions that hold the vendors liable in
> such circumstances.
>
> In the field of software, we have 2 problems - one: the truth
> in advertising rules are not being enforced effectively, and
> two: "shrink wrap" licensing has been upheld as a way of
> releasing vendors for all responsibility - even the consequences
> of their outright lies.
>
> Outright lies? Isn't that a bit severe? Well, I give you one
> case in point: I recently re-installed Windows XP on my
> desktop machine (my annual "clean scrape") and as it was
> installing (and on the product box) Microsoft touted XP as
> a way to "quickly and securely access the Internet" Oh. Really?
>
> mjr.
>
>
--__--__--
Message: 4
Date: Tue, 14 Jun 2005 16:01:52 +0530
From: Siju George <sgeorge.ml@gmail.com>
Reply-To: Siju George <sgeorge.ml@gmail.com>
To: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
Cc: firewall-wizards@honor.icsalabs.com
On 5/31/05, Darren Reed <darrenr@reed.wattle.id.au> wrote:
> [ Charset ISO-8859-1 unsupported, converting... ]
> > From
> >
> > http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/worki01.ms=
px
> >
> > I understand that it is possible with UPnP enabled NAT devices.
> >
> > Is the NAT in PF UPnP enabled??
> >
> > or could someone tell me how I can accomplish this with OpenBSD.
>=20
> The only free, unix-based, UPnP implementation is for Linux and iptables,
> so your solution is to wipe OpenBSD and install Linux.
>=20
> When it comes to things like UPnP, there are a lot of luddites in the *BS=
D
> community. Others of us, who have benefited from it and understand why i=
t
> is useful, just don't have time.
>=20
Hi Darren,
I find that
Tuesday, June 07, 2005 blog of pfSense
at http://pfsense.blogspot.com/
says that a "New UPNP package from Scott" is added=20
Hope it will do the job and finally there is a UPnP implementation for BSD =
:-)
thankyou so much for all your comments
kind regards
Siju
--__--__--
Message: 5
From: "Paul Melson" <psmelson@comcast.net>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] so much for "deny all"
Date: Tue, 14 Jun 2005 08:54:47 -0400
I think that Gartner's assertion that these firewalls "...allow all network
traffic and behavior..." is likely to be a misstatement, at least insofar as
these devices are either a) intended to be deployed behind an existing
firewall with a typical ACL/NAT policy or b) have typical ACL and NAT
capabilities in addition to [meaningless buzzword omitted] features. Either
way, they can still be configured with a default deny-all rule.
I think it's much ado about nothing (both the panic and the hype). The real
issue is the same issue that's been plaguing networks since the first
"stateful" firewalls shipped to customers: it is easier to adopt a sloppy
trust model than it is to discover, document, and enforce a strict traffic
policy. Despite the obvious problems firewall vendors are ultimately just
vendors. They must move units, and therefore their products have features
that appeal to our lazy networks and lax policies.
PaulM
-----Original Message-----
Subject: Re: [fw-wiz] so much for "deny all"
From the TechTarget coverage of the Gartner Security Summit this week:
"Next generation firewalls that do deep-packet inspections from
vendors like Juniper Networks, Check Point and Fortinet employ a
heuristics engine and allow all network traffic and behavior, except
those which policy says it must block. Most enterprises, however,
refresh their firewall purchases on a three- to five-year cycle and
that makes it challenging to synch new features."
--__--__--
Message: 6
From: "Dave Piscitello" <dave@corecom.com>
To: "Brian Loe" <knobdy@stjoelive.com>
Date: Tue, 14 Jun 2005 17:45:09 -0400
Subject: RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
Reply-To: dave@corecom.com
Cc: firewall-wizards@honor.icsalabs.com
Jake (a.k.a. Marcus) and I are on a mission from God.
Seriously, I care. Protecting myself, my family, friends, company and
clients isn't satisfying enough. I also find it's much simpler to be
*more* secure than most people think, with about the same
inconvenience as buckling a seatbelt.
But THINKING before acting is a tough requirement to enforce;-O
On 10 Jun 2005 at 12:57, Brian Loe wrote:
>... most people don't care so that's not likely to happen soon - so
> what? Why do you care? Protect yourself and be happy, right?
--__--__--
Message: 7
Date: Wed, 15 Jun 2005 13:51:11 +0900
From: Mark Sargent <powderkeg@snow.email.ne.jp>
Organization: Home
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Password Recovery IP330
Hi All,
I'm able to access an IP330, but, can't access due to not knowing the
password. Can't find anything specific on the net for this. Anyone know
how to reset the password.? Cheers.
Mark Sargent.
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment