Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? (Darren Reed)
2. Re: Password Recovery IP330 (Mordechai T. Abzug)
3. Citrix vs OWA (Brian Gardner)
4. Re: Citrix vs OWA (David Lang)
5. Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? (Ben Lindsey)
6. Transitive Trust: 40 million credit cards hack'd (Marcus J. Ranum)
7. Re: InfoSec's Waterloo and it's implications (Vin McLellan)
8. Re: Citrix vs OWA (Paul D. Robertson)
9. Re: Citrix vs OWA (Victor Williams)
--__--__--
Message: 1
From: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
To: Siju George <sgeorge.ml@gmail.com>
Date: Sat, 18 Jun 2005 02:07:30 +1000 (EST)
Cc: Darren Reed <darrenr@reed.wattle.id.au>,
firewall-wizards@honor.icsalabs.com
[ Charset ISO-8859-1 unsupported, converting... ]
> Hi Darren,
>
> I find that
>
> Tuesday, June 07, 2005 blog of pfSense
>
> at http://pfsense.blogspot.com/
Hmmm, my ISP in China blocks access to this website but not pfsense.org.
Darren
--__--__--
Message: 2
Date: Thu, 16 Jun 2005 18:10:30 -0400
From: "Mordechai T. Abzug" <morty@frakir.org>
To: Mark Sargent <powderkeg@snow.email.ne.jp>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Password Recovery IP330
On Wed, Jun 15, 2005 at 01:51:11PM +0900, Mark Sargent wrote:
> Hi All,
>
> I'm able to access an IP330, but, can't access due to not knowing the
> password. Can't find anything specific on the net for this. Anyone know
> how to reset the password.? Cheers.
For Nokia hardware in general (haven't used the IP330):
- booting single-user: connect to serial console, reboot. Press any key
when prompted "type any character to enter command mode". Type
"boot -s".
- password recovery: boot single user, run /etc/overpw to change password
[This is one of the first things I figure out and take notes on when I
have a new kind of device. A lot nicer to figure it out at leisure in
a lab environment than in the middle of the night when you really need
it.]
Morty
--__--__--
Message: 3
Date: Fri, 17 Jun 2005 16:57:50 -0700
From: "Brian Gardner" <gardnerb@ci.lake-havasu-city.az.us>
To: <firewall-wizards@honor.icsalabs.com>
Subject: [fw-wiz] Citrix vs OWA
Greetings everyone.
As the network administrator (and security minded person) for our small
local government network (300 users), I've been asked to make our
internal email (Exchange 2003) and other applications (not web based
apps, just internal) and files available from the internet through our
Checkpoint firewall. I've done much reading on Outlook Web Access and
it's security implications as well as followed the many topics here
regarding remote access. What I haven't seen mentioned here as an
alternative to OWA is Citrix via the Presentation Server and Secure
Gateway.
Assuming you deploy the Citrix solution properly, apply patches, etc,
what is the general consensus regarding Citrix? Good idea? Bad idea?
At this point I haven't deployed or setup anything, and I'm not looking
for specific instructions or how-to's, rather a feel for which I'm going
to have the least amount of trouble with, and an answer to the statement
my supervisor(s) make that "everybody else does it, why can't we?"
Thank you much.
BrianG
--__--__--
Message: 4
From: David Lang <david.lang@digitalinsight.com>
To: Brian Gardner <gardnerb@ci.lake-havasu-city.az.us>
Cc: firewall-wizards@honor.icsalabs.com
Date: Fri, 17 Jun 2005 17:52:51 -0700 (PDT)
Subject: Re: [fw-wiz] Citrix vs OWA
On Fri, 17 Jun 2005, Brian Gardner wrote:
> Greetings everyone.
>
> As the network administrator (and security minded person) for our small
> local government network (300 users), I've been asked to make our
> internal email (Exchange 2003) and other applications (not web based
> apps, just internal) and files available from the internet through our
> Checkpoint firewall. I've done much reading on Outlook Web Access and
> it's security implications as well as followed the many topics here
> regarding remote access. What I haven't seen mentioned here as an
> alternative to OWA is Citrix via the Presentation Server and Secure
> Gateway.
>
> Assuming you deploy the Citrix solution properly, apply patches, etc,
> what is the general consensus regarding Citrix? Good idea? Bad idea?
> At this point I haven't deployed or setup anything, and I'm not looking
> for specific instructions or how-to's, rather a feel for which I'm going
> to have the least amount of trouble with, and an answer to the statement
> my supervisor(s) make that "everybody else does it, why can't we?"
the microsoft RDP has been enhanced over the years so that it also does
encryption (like the citrix stuff), the key question is what you do for
authentication. There are plugins for Citrix for token-based
authentication systems, and some of those vendors are now starting to
support raw RDP ('terminal server') use.
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 5
Date: Fri, 17 Jun 2005 20:10:39 -0500
From: Ben Lindsey <blindsey@forensic.nu>
To: Darren Reed <darrenr@reed.wattle.id.au>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
Darren,
Not much on the blog there that you *really* need -- you can probably
get by with the info at pfsense.org or pfsense.com. I have been
following this product somewhat and have not yet seen any indication
that a port for OpenBSD has yet been completed. They seem focused on
FreeBSD/DragonFly for now.
Likely your ISP is blocking blogspot cause of things like "f r e e d o
m" and "d e m o c r a c y", perhaps "t a i w a n e s e i n d e p e n d
e n c e ." ;)
-bjl
Darren Reed wrote:
>[ Charset ISO-8859-1 unsupported, converting... ]
>
>
>>Hi Darren,
>>
>>I find that
>>
>>Tuesday, June 07, 2005 blog of pfSense
>>
>>at http://pfsense.blogspot.com/
>>
>>
>
>Hmmm, my ISP in China blocks access to this website but not pfsense.org.
>
>Darren
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
--__--__--
Message: 6
Date: Fri, 17 Jun 2005 21:25:24 -0400
To: firewall-wizards@honor.icsalabs.com
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
40M credit cards hacked
Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.
http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
This sounds like (yet another) classical example of "transitive trust gone wrong."
Visa/MasterCard trusted a 3rd party to hold their data and - oops - the trust
was misplaced.
I figure Paul and I and the other "security graybeards" can let this kind of
thing keep happening for a few months more and then we can start turning
on the big, blinking neon lights that say "We Told You So." Transitive
trust is a *HARD* problem in security. Always has been, always will be.
But today's businesses convinced themselves that they could basically
ignore it - mostly because the obvious stuff like patching and vulnerability
management was more obvious and accessible.
The shift away from mainframe computing to departmental and distributed
in the 80's resulted in a massive dissemination of data. Instead of data
being held in one place in the enterprise, it's available for anyone with a
password who can open an SQL session and make a local table to
play with in Excel/Access. So private and sensitive data was scattered
to - essentially everyone with a password. Now that the horse has left
the barn, and trotted a few miles down the road, a great deal of attention
is being paid to the latch on the barn door. To make matters worse, the
"permissive 90's" and the "outsourcing of 2001" dramatically expanded
both the vulnerability footprint of most enterprises at the same time as
their trust boundaries balooned toward the effectively infinite.
Here's a position to ponder: it's probably too late to secure enterprise
data, in all practical senses of the term "secure." What's "Plan B"?
Is there a "Plan B"?
"We told you so."
mjr.
--__--__--
Message: 7
Date: Sat, 18 Jun 2005 02:56:02 -0400
To: firewall-wizards@honor.icsalabs.com
From: Vin McLellan <vin@theworld.com>
Subject: [fw-wiz] Re: InfoSec's Waterloo and it's implications
Congress offers competing ideas on fighting ID theft --
Proposals include licensing data brokers, notifying potential victims
ComputerWorld News Story by Grant Gross
JUNE 17, 2005 <HTTP://WWW.IDG.NET>(IDG News Service)
url: http://tinyurl.com/dsos7
<snip> <snip>
This is a decent overview of the Congressional mood as of 6/17 -- the day
it was announced that financial information on some 40 million credit card
holders <http://tinyurl.com/cmgzw> had been illicitly accessed in a
sophisticated data theft using a targeted virus... and the day after the UK
announced that the data files of various British government agencies and
financial institutions had (also) been penetrated
<http://tinyurl.com/74atz> by a targeted virus attack, to unknown ends.
Whatever comes next is bound to be noisy and authoritative.
_Vin
--__--__--
Message: 8
Date: Sat, 18 Jun 2005 10:59:42 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Brian Gardner <gardnerb@ci.lake-havasu-city.az.us>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Citrix vs OWA
On Fri, 17 Jun 2005, Brian Gardner wrote:
> Greetings everyone.
>
> As the network administrator (and security minded person) for our small
> local government network (300 users), I've been asked to make our
> internal email (Exchange 2003) and other applications (not web based
> apps, just internal) and files available from the internet through our
> Checkpoint firewall. I've done much reading on Outlook Web Access and
The first thing you should do is to get authority to do a real risk
assessment- since you'll be potentially opening up all the goodies to any
potential attacker on the planet, and since that means that it's more
likely that folks will use compromised home computers to conduct business.
It may be "ok" for some applications and not others, which would mean
having to build out more security infrastructure to limit the potential
damage.
I'll add at this point that the worst breach I've ever seen was at a
municipality where someone had (a) broken into the court system, (b)
trojaned hundreds of systems and (c) broken into the interactive voice
response (IVR) system. There was lots more going on there, but those were
three rather large issues I had to deal with.
> it's security implications as well as followed the many topics here
> regarding remote access. What I haven't seen mentioned here as an
> alternative to OWA is Citrix via the Presentation Server and Secure
> Gateway.
>
> Assuming you deploy the Citrix solution properly, apply patches, etc,
> what is the general consensus regarding Citrix? Good idea? Bad idea?
Anytime you extend your trust boundary, it's bad for security- the
question is if it's necessary to extend it or if it's just convenient-
that's the point of doing an up-front assessment.
> At this point I haven't deployed or setup anything, and I'm not looking
> for specific instructions or how-to's, rather a feel for which I'm going
> to have the least amount of trouble with, and an answer to the statement
> my supervisor(s) make that "everybody else does it, why can't we?"
Do the assessment, or have someone do it for you- then provide them with
the "if we do this, there's a risk of that" stuff in writing- then they
get to choose if they want to take the same risk as "everybody else."
FWIW, I'd do one-time tokens for OWA *or* Citrix just to make sure that
the user's responsibility is upheld.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 9
Date: Sat, 18 Jun 2005 10:32:50 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: Brian Gardner <gardnerb@ci.lake-havasu-city.az.us>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Citrix vs OWA
> Do the assessment, or have someone do it for you- then provide them with
> the "if we do this, there's a risk of that" stuff in writing- then they
> get to choose if they want to take the same risk as "everybody else."
>
> FWIW, I'd do one-time tokens for OWA *or* Citrix just to make sure that
> the user's responsibility is upheld.
>
I second that. I'd do everything Paul said...bring in a 3rd party to
the risk assessment who is seemingly neutral.
The one-time token thing has also gotten a LOT less expensive in
up-front dollars to implement. BUT, do the risk assessment FIRST.
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment