Security World: firewall-wizards digest, Vol 1 #1637

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Discretionary WiFi Access (Paul D. Robertson)
2. Re: Internet accessible screened subnet - use public or
private IPs? (Paul D. Robertson)
3. FW: [fw-wiz] VOIP versus PBX (Yehuda Goldenberg)
4. Re: Discretionary WiFi Access (Jim Seymour)
5. Re: Discretionary WiFi Access (Roger Rustad)
6. Re: VOIP versus PBX (Scott Stursa)
7. Re: FW: [fw-wiz] VOIP versus PBX (Paul D. Robertson)
8. Re: Intel vs. special purpose FW-1 servers (Carson Gaspar)
9. Re: FW: [fw-wiz] VOIP versus PBX (Roelof JT Jonkman)
10. Re: FW: [fw-wiz] VOIP versus PBX (Michael H)

--__--__--

Message: 1
Date: Thu, 21 Jul 2005 13:53:47 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Josh Welch <jwelch@buffalowildwings.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access

On Fri, 8 Jul 2005, Josh Welch wrote:

> I have setup an access point outside of our firewall for this express
> purpose. It is wide open and I simply monitor port usage to keep an eye
> out for any abuse, it hasn't been an issue so far.

Isn't this kind of SBCYF[1]?

Paul
[1] Security by crossing your fingers.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 2
Date: Thu, 21 Jul 2005 13:56:17 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Matt Bazan <Mbazan@onelegal.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public or
private IPs?

On Fri, 15 Jul 2005, Matt Bazan wrote:

> Is there a preferred method of setting up a Internet facing screened
> subnet and the use of public or private IP addresses? Looking at
> redesinging our DMZ to only include public resources (www, smtp, imap,
> ftp). Presently we use a private IP address range for this that is
> NAT'ed at our firewall. Any reasons to change this policy to using
> public IPs in the DMZ? Thanks,

If you're NATing to your internal network, then a rework is necessary-
public stuff should be on its own (preferably) physical subnet.

IP addressing doesn't matter much, since you'll be letting stuff through
the most likely exploit vectors anyway.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 3
Subject: FW: [fw-wiz] VOIP versus PBX
Date: Thu, 21 Jul 2005 14:31:50 -0400
From: "Yehuda Goldenberg" <Yehuda@nj.essutton.com>
To: <firewall-wizards@honor.icsalabs.com>

I didn't ask about 911 tracking, but I would assume since all phone =
calls are handled centrally at their location, and they are providing =
the internet link and the phone service, they should be able to do 911 =
tracking.

They told me that the desktop instruments are powered by POE switches - =
I suppose those can be backed up by battery and generator if needed. All =
routing equipment along the path to the internet would need to be backed =
up also. This is anyway irrelevant because it's replacing a PBX with no =
power protection.

I don't know enough about QOS to know how a host in a different vlan =
than the phones can cross the vlan to shut down the phone network but I =
do know enough to ask.

________________________________________
From: Pollock, Joseph [mailto:PollockJ@evergreen.edu]=20
Sent: Thursday, July 21, 2005 1:40 PM
To: Yehuda Goldenberg; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] VOIP versus PBX

Other issues:
=A0
1.=A0=A0=A0 How does the vender plan to handle 911 location tracking?
=A0
2.=A0=A0=A0 The typical PBX has battery backup and, often, emergency =
generator support, and powers the desktop instruments.=A0 How does this =
compare to your network infrastructure?=A0 Is your current phone system =
considered an emergency communication component at your company?=A0 Is =
your network fully power protected in case of power outages?
=A0
3.=A0=A0=A0 There have been some quality reviews of VoIP gear recently =
(I don't know the methodology or quality of the reviews) that indicate =
that audio quality is more like a cell phone than a typical wired phone, =
among other characteristics, and that overall reliability is not yet up =
to traditional PBX standards.
=A0
=A0=A0=A0=A0=A0=A0 I'm not even going to touch on IP issues like DOS =
attacks or infected hosts overwhelming the QOS - I'd like to see a =
vender demonstrate that.
=A0
Joe Pollock
Network Services
The Evergreen State College

________________________________________
From: firewall-wizards-admin@honor.icsalabs.com =
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Yehuda =
Goldenberg
Sent: Friday, July 15, 2005 6:41 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] VOIP versus PBX
Our company is looking to replace an antiquated phone system.
I was leaning towards using a traditional PBX, because I figured that it =
would be more reliable and it wouldn't be subject to the problems of IP =
networks.
One vendor is trying to get me to change my mind about that. He claims =
that we can keep the voice and data networks completely separate by =
running vlans. The IP phones have vlan switches on them and one wire can =
be run to each desk and the pc and the phone can be on separate vlans.
I was concerned that problems on the data network such as viruses would =
still bring down the whole thing, and in addition to the pcs not =
working, the phones wouldn't work either and it would be total mayhem. =
He says that QOS would make sure that the phone calls always go through =
even if the data network is completely dead.
I was also concerned that the VOIP system would mean every call - even =
desk-to-desk would go through the internet and if the T1 to the internet =
goes down, the phones don't work. His answer to that was redundant T1 =
links, and since they are the ISP and the VOIP provider, they will give =
us a reliable network that won't go down. Also all the VOIP equipment on =
their end is redundant.

What else do I have to worry about with VOIP? Is VOIP ready to replace =
PBX yet, or is it too new?

Any help would be appreciated.

--__--__--

Message: 4
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 14:39:10 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)

"Paul D. Robertson" <paul@compuwar.net> wrote:
>
> On Fri, 8 Jul 2005, Josh Welch wrote:
>
> > I have setup an access point outside of our firewall for this express
> > purpose. It is wide open and I simply monitor port usage to keep an eye
> > out for any abuse, it hasn't been an issue so far.
>
> Isn't this kind of SBCYF[1]?

"Kind of?" ;)

Another thing, which I haven't seen discussed: It seems probable that
the access in question would naturally be less restricted than what's
normally allowed by ones corporate firewall, yeah? (Well, unless one
has killed their firewall [1] ;).) E.g.: Perhaps SMTP, POP3, IMAP, Net
Meeting (*barf*), etc., unfiltered. You'll want some way to keep
employees with wireless capability from accessing your insecure
courtesy WLAN--particularly whilst they're connected to your secured
LAN (router, anybody?).

I think it should be unnecessary point point out that some employees
will inevitably try, and the multitude of dangers should they not be
prohibited from succeeding.

[1] Ref: "The Death Of A Firewall"

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

--__--__--

Message: 5
Date: Thu, 21 Jul 2005 11:38:55 -0700
Reply-To: Roger.Rustad@gmail.com
To: firewall-wizards@honor.icsalabs.com, jwelch@buffalowildwings.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
From: Roger Rustad <roger.rustad@gmail.com>

How would you know if there were port abuse? What types of port
activity would you look for?

Roger

Paul D. Robertson wrote:
> On Fri, 8 Jul 2005, Josh Welch wrote:
>
>
>>I have setup an access point outside of our firewall for this express
>>purpose. It is wide open and I simply monitor port usage to keep an eye
>>out for any abuse, it hasn't been an issue so far.
>
>
> Isn't this kind of SBCYF[1]?
>
> Paul
> [1] Security by crossing your fingers.
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

--__--__--

Message: 6
Date: Thu, 21 Jul 2005 14:47:09 -0400 (EDT)
From: Scott Stursa <stursa@mailer.fsu.edu>
To: Yehuda Goldenberg <Yehuda@nj.essutton.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] VOIP versus PBX

On Fri, 15 Jul 2005, Yehuda Goldenberg wrote:

> Our company is looking to replace an antiquated phone system.

So far, so good.

> I was leaning towards using a traditional PBX, because I figured that it
> would be more reliable and it wouldn't be subject to the problems of IP
> networks.

That's a good direction to be leaning.

> One vendor is trying to get me to change my mind about that. He claims
> that we can keep the voice and data networks completely separate by
> running vlans. The IP phones have vlan switches on them and one wire can
> be run to each desk and the pc and the phone can be on separate vlans.

Let's hope the phones' "vlan switches" are 802.1Q compliant...

> I was concerned that problems on the data network such as viruses would
> still bring down the whole thing, and in addition to the pcs not
> working, the phones wouldn't work either and it would be total mayhem.
> He says that QOS would make sure that the phone calls always go through
> even if the data network is completely dead.

Then he has a very narrow definition of "completely dead". If a network
switch is Dos'd-to-99%-CPU or just plain crashed, then packets won't be
getting through regardless of the value of the QOS field.

> I was also concerned that the VOIP system would mean every call - even
> desk-to-desk would go through the internet

Probably true if the VOIP PBX is not on your premises.

> and if the T1 to the internet
> goes down, the phones don't work. His answer to that was redundant T1
> links,

Which probably will run over the same strand of fiber.

> and since they are the ISP and the VOIP provider, they will give
> us a reliable network that won't go down. Also all the VOIP equipment on
> their end is redundant.

You need more than redundant equipment to guarantee reliability. They
should also have redundant gateways to different POTS (Plain Old Telephone
Service) carriers (after all, 99% of the calls you'll be making will be to
phones on POTS).

I've been doing a little research on this subject because last week I
applied for a position at a university which is planning a
wholesale migration to VOIP (the position is with their TeleCom dept,
which apparently is recruiting in order to have some in-house IP expertise).

The position posting had some supplemental questions, one of which was
"What do you feel is the biggest challenge facing such a migration?"

I replied that their biggest challenge would be achieving comparable
reliability, and the biggest challenge to that is security. Traditional
telephony systems are pretty well isolated from those seeking to disrupt
them, and with VOIP you lose that inherent isolation. "It is a sad fact
that too many IT systems and networks are deployed without regard for
security considerations. Security is usually adressed after-the-fact, and
as a result is usually inadequate. Regardless of whether you select me for
your position, I hope you recognize the need to engineer-in security from
the start..."

Which pretty much guarantees I won't get the position, 'cause we all know
that most folks outside our profession regard ITsec as an inconvenient
obstacle to doing their job.

So I don't feel I'm risking much, by stating in this public forum:

Don't do it. Stick with a traditional (non-VOIP) PBX.

Regards,

- SLS

p.s. ran across this while looking into VOIP:

http://www.boingboing.net/2005/06/28/voipinacan_sysco_ip_.html

------------------------------------------------------------------------
Scott L. Stursa 850/644-2591
Network Security Analyst stursa@mailer.fsu.edu
OTI Enterprise Security Group Florida State University

- No good deed goes unpunished -

--__--__--

Message: 7
Date: Thu, 21 Jul 2005 15:58:43 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Yehuda Goldenberg <Yehuda@nj.essutton.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: FW: [fw-wiz] VOIP versus PBX

On Thu, 21 Jul 2005, Yehuda Goldenberg wrote:

> I didn't ask about 911 tracking, but I would assume since all phone
> calls are handled centrally at their location, and they are providing
> the internet link and the phone service, they should be able to do 911
> tracking.

AFAIK VoIP services currently do *not* support E911. They can route 911
calls to their service center, or you can have the switch route to a local
number, but you will not get E911 service- that means the calling number
address won't show up at the local emergency call center, and responses
may be hampered because of it[1].

In a corporate setting, this is a risk call, since if someone has a major
injury on-site, and there's some address confusion or slow down you're
going to have to face a potential lawsuit in many situations. A loss
there could completely offset any savings.

Paul
[1] There's been some hoopla about it in residential situations,
including at least one "hey this might have prevented..." thing that's
probably been blown all to hell by the LECs who have just been forced to
give access to the 911 centers to VoIP providers, not sure if they'll
eventually include E911 service at some level.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 8
Date: Thu, 21 Jul 2005 16:30:37 -0400
From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers

--On Thursday, July 21, 2005 09:32:44 AM -0400 "Marcus J. Ranum"
<mjr@ranum.com> wrote:

> You should know what your peak loads through the link are going to
> look like, and then you can start looking at which products claim they
> operate at that level. If you're really concerned you can either use
> one of two (equally effective) approaches to predict the performance
> you'll see:
> 1) test or research a credible performance test (not one done by a vendor
> lab) 2) use bob's algorithm - assume the product can actually handle 1/2
> of what its manufacturer claims it can handle

To add some real-life data to Marcus' common sense advice, be _very_
careful about what packet rate you need. FW-1 vendors love to talk bps, but
corner them on pps and their numbers are... less than stellar. And once you
exceeded their max pps rate, they behaved _very_ badly. At least that was
the case as of NG's release - it's possible things have improved in the
interim.

(Buy me a cosmo some time and I'll tell stories about dragging 64-byte
packet performance numbers out of Checkpoint while they kicked, whined,
screamed, and complained to my boss that I was being "unfair" for making
them give the same performance data all the other vendors did. By the way -
they came in dead last, on _any_ platform. Mmmmm.... slow _and_ insecure...)

--
Carson

--__--__--

Message: 9
From: Roelof JT Jonkman <rjt@pobox.com>
Subject: Re: FW: [fw-wiz] VOIP versus PBX
To: "Yehuda Goldenberg" <Yehuda@nj.essutton.com>
Cc: firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 13:31:17 -0700

Yehuda,

This is a bit of an opinion piece, but never the less may give some insight:

I'm a bit surprised that VOIP is getting so much traction. First thing
is voice is point to point, ip is a connectionless protocol. (Not to mention
that most of the underlying long haul infrastructure is really connection
oriented voice based: sonet.) So the dichotomy is that we're stacking a
connection oriented thing on top of a connection less protocol on top
of connection oriented infrastructure. I would be one thing if you can
completely share the infrastructure and get the reliability similar to
conventional phone systems. However the general advocacy seems to be *not*
to share infrastructure. (At the minimum VLAN's is advocated) So the 'cost
savings' benefit is sort of out the window right there. The other thing is
complexity. VOIP is more complex to administer than a PBX.

The only point I can see to VOIP is if you are backhauling a lot of voice
to a central location, and you have say more than a dozen offices or so.
Administratively, and cost wise you may save there. (Less cost for
conventional backhaul lines I'm guessing.)

If I were you I would price out both options, and include reasonable
guestimates of running costs for both. (And I would pad the running costs
guestimate of VOIP royally do to the inherent complexity.)

Depending on the size of your location (pbx) you may be subject to certain
sets of legal obligations to provide proper phone system function in cases
of emergencies. (power outage etc.) Even in my last office of 10 or so
folks I made sure that the mini lucent pbx/voice box was on UPS etc. Also
hardwired a regular POS analog phone to one of the incoming analog phone lines
in the break room. Readily accessible in case of emergency.

roel

--__--__--

Message: 10
From: "Michael H" <af_pilot33@hotmail.com>
To: paul@compuwar.net, Yehuda@nj.essutton.com
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: FW: [fw-wiz] VOIP versus PBX
Date: Thu, 21 Jul 2005 13:33:04 -0700

We just moved to a VoIP system and the 911 calls are routed through them but
with our address and number shown as the source. Part of the approval
process is us actually calling 911 with a test call and validating what they
see.

In reference to previous posts on security, this company is addressing that
by us using a dedicated t1 through their offices. This way they control the
connection from our phone eventually to a POTS connection. This seems like a
decent idea for keeping folks who are not customers from disrupting the
system but I'm a little worried about those who are customers.

Michael

From: "Paul D. Robertson" <paul@compuwar.net>
To: Yehuda Goldenberg <Yehuda@nj.essutton.com>
CC: firewall-wizards@honor.icsalabs.com
Subject: Re: FW: [fw-wiz] VOIP versus PBX
Date: Thu, 21 Jul 2005 15:58:43 -0400 (EDT)

On Thu, 21 Jul 2005, Yehuda Goldenberg wrote:

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

Security World

Search This Blog

Thursday, July 21, 2005

firewall-wizards digest, Vol 1 #1637 - 11 msgs

No comments: