Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: Intel vs. special purpose FW-1 servers (Paul Melson)
2. Re: FW: [fw-wiz] VOIP versus PBX (Paul D. Robertson)
3. Re: FW: [fw-wiz] VOIP versus PBX (Michael H)
4. Re: VOIP versus PBX (Patrick M. Hausen)
5. Re: Forwarding traffic to an active IDS/Firewall (Aaron Smith)
6. unsubscribe (Dbdataplus@aol.com)
7. Re: VOIP versus PBX (Elizabeth Zwicky)
8. RE: Discretionary WiFi Access (Brian Loe)
9. Re: VOIP versus PBX (Mark Teicher)
10. Re: VOIP versus PBX (Paul D. Robertson)
--__--__--
Message: 1
From: "Paul Melson" <pmelson@gmail.com>
To: "'Sawyer, Christopher'" <Christopher.Sawyer@getronics.com>,
"'Emily Conrad'" <emilydconrad@hotmail.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Intel vs. special purpose FW-1 servers
Date: Thu, 21 Jul 2005 16:39:07 -0400
I don't know about your specific configuration or the prices you were
quoted, but last time I priced Check Point products for a client failover
was included with VPN-1 Pro and load sharing license was only another few
thousand.
For a smaller network where an IP1xx or IP2xx is plenty, I suppose the
Nokia's might be cheaper. But I can't say that I've ever seen anybody
attempt VRRP with a pair of IP130's. :) For a larger network where you'd
deploy an IP5xx or IP7xx, however, an x86 server with similar performance
would be roughly half the cost of the Nokia.
PaulM
-----Original Message-----
From: Sawyer, Christopher [mailto:Christopher.Sawyer@getronics.com]
Sent: Thursday, July 21, 2005 1:50 PM
To: Paul Melson; Emily Conrad; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Intel vs. special purpose FW-1 servers
I agree the SPLAT is awesome, but what about he costs of VPG or HVPG
licenses need to run clustering on the SPLAT boxes...
The cost to convert our existing and the maintence on these licenses exceed
most Nokia hardware prices which comes with VRRP for free.
--__--__--
Message: 2
Date: Thu, 21 Jul 2005 16:43:51 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Michael H <af_pilot33@hotmail.com>
Cc: Yehuda@nj.essutton.com, <firewall-wizards@honor.icsalabs.com>
Subject: Re: FW: [fw-wiz] VOIP versus PBX
On Thu, 21 Jul 2005, Michael H wrote:
> We just moved to a VoIP system and the 911 calls are routed through them but
> with our address and number shown as the source. Part of the approval
> process is us actually calling 911 with a test call and validating what they
> see.
But are your calls routed to a national center for your VIOP provider with
their tracking info, or directly to your local municipal E911 center?
As far as I recall, the VoIP providers were all doing it to their own call
centers if they were doing it at all.
> In reference to previous posts on security, this company is addressing that
> by us using a dedicated t1 through their offices. This way they control the
> connection from our phone eventually to a POTS connection. This seems like a
> decent idea for keeping folks who are not customers from disrupting the
> system but I'm a little worried about those who are customers.
If you're still paying for a T-1, then I assume your savings are all local
loop and potentially IXC charges?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 3
From: "Michael H" <af_pilot33@hotmail.com>
To: paul@compuwar.net
Cc: Yehuda@nj.essutton.com, firewall-wizards@honor.icsalabs.com
Subject: Re: FW: [fw-wiz] VOIP versus PBX
Date: Thu, 21 Jul 2005 13:55:36 -0700
From: "Paul D. Robertson" <paul@compuwar.net>
> We just moved to a VoIP system and the 911 calls are routed through them
but
> with our address and number shown as the source. Part of the approval
> process is us actually calling 911 with a test call and validating what
they
> see.
But are your calls routed to a national center for your VIOP provider with
their tracking info, or directly to your local municipal E911 center?
As far as I recall, the VoIP providers were all doing it to their own call
centers if they were doing it at all.
>>Good question. I know they are doing something because we won't be
>>accepting the system until I can call 911 and they
>>have the right info. I assume it's to their center and from their
>>to our local 911 office.
> In reference to previous posts on security, this company is addressing
that
> by us using a dedicated t1 through their offices. This way they control
the
> connection from our phone eventually to a POTS connection. This seems
like a
> decent idea for keeping folks who are not customers from disrupting the
> system but I'm a little worried about those who are customers.
If you're still paying for a T-1, then I assume your savings are all local
loop and potentially IXC charges?
>>Well here's the deal, they will also route our data traffic so we will
>>be eventually switching off our current T-1. We are also getting two T-1's
>>for some redundancy since I'm a little nervous. All of our remote
>>employees will be getting Cisco phones and will of course just use
>>their local broadband connection (this is where we expect significant
>>savings) though they also offer a service for home users (ISDN or T-1).
>>Of course the home user experience won't always be perfect but
>>many folks have gotten good connections via Vonage, Skype, etc.
>>They remote users will now be truely connected and managed by
>>us where as they haven't been in the past.
--__--__--
Message: 4
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] VOIP versus PBX
To: Scott Stursa <stursa@mailer.fsu.edu>
Date: Thu, 21 Jul 2005 23:00:37 +0200 (CEST)
Cc: Yehuda Goldenberg <Yehuda@nj.essutton.com>,
firewall-wizards@honor.icsalabs.com
Hello, Wizards!
Scott L. Stursa wrote:
> > I was also concerned that the VOIP system would mean every call - even
> > desk-to-desk would go through the internet
>
> Probably true if the VOIP PBX is not on your premises.
> [...]
> So I don't feel I'm risking much, by stating in this public forum:
>
> Don't do it. Stick with a traditional (non-VOIP) PBX.
With the recent second hype about VoIP I'm always a bit puzzled
why people imply that you have to get "VoIP service" if you
want an IP based PBX.
I'd take an IP based system any time, but:
- rent a conventional phone service -> no problem with 911
- buy, not rent an IP based PBX and end systems (aka "Phones" ;-)
- run VoIP on my strictly internal network
I like VoIP, I agree with Marcus that it's loaden with
probable security risks but if you know about them, you simply
don't connect it to any public network.
So, if you act like I would, what does VoIP buy you in the end?
At least in Germany PBX systems are the most "locked in" pieces
of IT that I've ever come across. Ridiculous licensing models,
no documentation, vendors force you to rent their service
for simple configuration tasks or charge ridiculous amounts
for their propriatary configuration software.
If you happen to actually buy instead of rent a PBX by a company
that does provide documentation (like Ascom, Switzerland, for example)
the configuration concepts of a PBX are rather weird to networking
people (IMHO).
We sell the products of a German company named Innovaphone. They
produce fine (again, IMHO) IP based PBX systems - they are much
more similar to the configuration philosophies we are acustomed
to - routing based on longest prefix match, for example.
You simply buy the stuff, it comes with full docs, you set it
up. Period. No extra fees.
Their IP based phones can fetch the central phone book from an LDAP
server.
The phone registers itself at the PBX with its MAC address.
Unplug phone, go to next office, replug - you just moved
including maintaining yor phone number ...
I simply appreciate the similar concepts, the flexibilty in
configuration an the fact that it's completely under my
control. We've been using this stuff since 1998, so the vendor's
been around at least for a while. We have Country and Western
- we have a conventional PBX and the Innovaphone Equipment
connected to it. If I'd buy completely new, I'd go completely
Innovaphone.
And in case of a power failure - our conventional PBX doesn't
have an emergency power supply. I have a cellphone.
And power failures in Germany are typically in the seconds range
and occur _very_ rarely.
I've had more downtime due to UPS's breaking than due to real
power outages.
Regards,
Patrick
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
--__--__--
Message: 5
Subject: Re: [fw-wiz] Forwarding traffic to an active IDS/Firewall
From: Aaron Smith <smitha@byui.edu>
Reply-To: smitha@byui.edu
To: firewall-wizards@honor.icsalabs.com
Cc: Vinicius Pavanelli Vianna <ds@hacked.com.br>
Organization: Brigham Young University Idaho
Date: Thu, 21 Jul 2005 15:49:13 -0600
On Wed, 2005-07-13 at 18:39 -0300, Vinicius Pavanelli Vianna wrote:
> Hi all,
>
> Anyone knows how I can forward all traffic the came to a Cisco Catalyst
> swith to an gateway to do some IDS/Firewall/Traffic Shape?
> In ipfw (freebsd) this would be done by an "fwd" rule to forward all
> packets to an forced gateway, this can be done in an cisco device or i
> need to emulate all the valid IPs on the switch and use a VLAN with the
> servers so the IDS receive the packets and forward to the internal VLAN,
> this would be a little harmful ;)
>
> TIA,
> Vinicius
It sounds to me like you are wanting to do a port SPAN. A SPAN will
forward all [1] traffic from one port to another for analysis, making it
appear that both switched ports are in the same collision domain.
Cisco's site has documentation for CatOS and IOS on configuring SPANs,
but from memory it's goes something like this in IOS:
(conf t) monitor session 1 source interface blah blah
(conf t) monitor session 1 destination interface blah blah
In CatOS it's something like "set port span" or "set span", I don't
fully recall. I hope this is enough to get you started :~)
[1] almost all--some error packets get dropped. Thanks a lot, cisco :~\
_________________________________
@@ron Smith <smitha@byui.edu>
Network Operations
Brigham Young University Idaho
--__--__--
Message: 6
From: Dbdataplus@aol.com
Date: Thu, 21 Jul 2005 18:38:28 EDT
To: firewall-wizards@honor.icsalabs.com
Cc: unsubscribe@honor.icsalabs.com
Subject: [fw-wiz] unsubscribe
--part1_fe.17f1469e.30117de4_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
please unsubscribe me
--part1_fe.17f1469e.30117de4_boundary
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<HTML><FONT FACE=3Darial,helvetica><HTML><FONT COLOR=3D"#ff0000" SIZE=3D2 P=
TSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial Baltic" LANG=3D"0"><B>please u=
nsubscribe me</B></FONT></HTML>
--part1_fe.17f1469e.30117de4_boundary--
--__--__--
Message: 7
Cc: firewall-wizards@honor.icsalabs.com
From: Elizabeth Zwicky <zwicky@greatcircle.com>
Subject: Re: [fw-wiz] VOIP versus PBX
Date: Thu, 21 Jul 2005 16:38:44 -0700
To: "Michael H" <af_pilot33@hotmail.com>
On Jul 21, 2005, at 1:55 PM, Michael H wrote:
> Well here's the deal, they will also route our data traffic so we will
> be eventually switching off our current T-1. We are also getting two
> T-1's for some redundancy since I'm a little nervous.
How much experience do you have with redundant T-1s and failures?
In general, if you just buy 2 T-1s (even from different vendors, unless
you pick the vendors VERY carefully), they will be routed across
the exact same pieces of hardware for most of their lengths. The backhoe
that goes through one will go through both. The switching hardware
failure
that kills one may well kill both. It's not uncommon for
2 different vendors to be re-selling strands of the same cable owned
by some third party. Even if they are in different cables, they will
usually be in the same conduit.
The really interesting question, however, is "What are the odds your
phone
line is in that conduit, too?" Because if that answer is above 75%,
maybe
it doesn't matter that your redundant T-1s aren't redundant. In my
experience,
redundant T-1s fail together more often than T-1s and phone service, but
probably not even by a factor of 2, if you buy the T-1s from different
vendors
so that the bozos dealing with the software don't cut you off. If you
buy
the T-1s from the same vendor, there's no interesting redundancy at all;
they almost always fail together.
Elizabeth Zwicky
zwicky@greatcircle.com
--__--__--
Message: 8
From: "Brian Loe" <knobdy@stjoelive.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Discretionary WiFi Access
Date: Fri, 8 Jul 2005 13:32:02 -0500
I'm sure others on the list will give you better, more detailed information,
but since I had to look over a plan much like this recently I thought I'd
through my hat in the ring just because.
What my employer was planning was to use Cisco's Aironet product (a very
nice product from what I could tell, complete with highly configurable CLI)
to VLAN out two wifi networks - one for employees with access to internal
network, once for visitors with internet access. The visitors would still be
authenticated through a RADIUS server, and that password (for a "guestuser"
or some such) would be changed regularly (that was the plan anyway :) ).
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Dave Null
> Sent: Thursday, July 07, 2005 3:47 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Discretionary WiFi Access
>
> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll
> keep my personal feeling on this to myself though. One thing
> that keeps comming up is that one of the largest user
> communities that would take advantage of this would be
> non-employees. Vendors, Salesmen, people meeting with
> GMs/VPs/Execs are probably going to be the main users of
> this. My question is, if you currently have a similar
> situation in your work environment, how do you handle
> granting these people temp/guest WiFi access.
--__--__--
Message: 9
Date: Thu, 21 Jul 2005 20:54:32 -0400
To: "Marcus J. Ranum" <mjr@ranum.com>
From: Mark Teicher <mht3@earthlink.net>
Subject: Re: [fw-wiz] VOIP versus PBX
Cc: "Yehuda Goldenberg" <Yehuda@nj.essutton.com>,
<firewall-wizards@honor.icsalabs.com>
At 11:25 AM 7/21/2005, Marcus J. Ranum wrote:
>Yehuda Goldenberg wrote:
> >What else do I have to worry about with VOIP?
>
>We don't know much about the security of VOIP PBXes but since they were
>largely developed by "phone guys" I'm comfortable assuming that
>there is little
>or none. So you have the issue of accidental or deliberate denial-of-service
>against desktop phones, but also the potential that the PBX can be attacked
>over the in-band network that's used to manage it. Because you *KNOW*
>that whoever manages the PBX will want to access it from their desktop
>workstation not a workstation on a separate VLAN.
>> Historically, most telecommunication folks who managed PBX prior
to IP enabled PBX would hide in the telco/phone room a majority of
the day to do moves, adds, changes and deletes, always standing by
with their 66/110 punchdown tool, butt-set with appropriate gator
clips to validate whether a traditional analog pair is
working. This even goes for 911 or alarm lines.
As the migration towards VOIP PBXes is occurring, the
telecommunications folks are a bit skiddish of moving towards a
desktop workstation environment and would rather rely on their SAT
Terminal connected via Serial Connection to the back end of the
PBX. Most telecommunications folks get all befuddled when H.323/SIP
speak is talked about and usually see through the B.S of the VoIP vendors
Most crusty old or experienced PBX admins are a bit more crusty at
moving to the newer solutions especially when it involves screwing
with dial tone for their users. Cutovers to VoIP PBXes are much more
tricky, especially when migrating a call center environment or a
financial trading firm. Disruption in phone service could impact
their business greater than network disruption.
Much different POV then "ripping out old Gauntlet firewalls for the
latest and greatest cobbled together "neat color scheme" all-in one
appliance. :) Old motto: if ain't broke, don't fix it.
Ensuring a VOIP solution works in default mode is not easy,
especially when considering large enterprise type entities are used
to just coming into their office picking up their analog phone and
retrieving their daily voicemail with little to no complexity.
Migration to a VOIP PBX solution can be a very complex and daunting,
especially when dealing with QOS, MOS, jitter even if implementing a
default configuration without turning on all the security features.
The scariest issue is did the VoIP PBX vendor implement the various
VoIP protocols correctly and ensure their solution plays well with
the various firewall, VPN, Intrusion Detection and Intrusion
Prevention vendors out there. Most are still in the process of
working out all the features to ensure users are not impacted to much.
P.S. I disavow any hands-on knowledge of VoIP PBX or traditional PBX
security.. :)
>The protocols used for VOIP are "problematic" let us say. "Designed by
>people who ignored security" might be a less tactful way to say it.
>"Moronic" also comes to mind. That said, there appear to be so many of
>them that it's hard to nail down whether you'll have a problem or not; it
>depends on what you wind up using and where/how. The situation is
>comparable to wireless - getting it all working in default mode is easy.
>Getting it all working safely is hard and may be impossible.
>
>Lastly, inevitably, someone will want to do VOIP with the outside world.
>For cost saving reasons, or whatever (but really so they can talk to their
>kid in college for "free") so there will be a move to let the VOIP through
>your firewall. Then you will discover VOIP-spam. Of course the guys
>who designed VOIP systems didn't take that into account, either.
>
>Like every other "new widget technology" VOIP will eventually mature
>just around the time that it's being replaced by some cool new new
>widget technology that didn't take into account any lessons learned
>from the last new widget technology. But there will be loads of vendors
>with a $15,000 1-U rack-mount appliance that offers a complete solution
>that fixes all those problems.
>
>mjr.
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 10
Date: Thu, 21 Jul 2005 21:16:31 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Elizabeth Zwicky <zwicky@greatcircle.com>
Cc: Michael H <af_pilot33@hotmail.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] VOIP versus PBX
On Thu, 21 Jul 2005, Elizabeth Zwicky wrote:
> On Jul 21, 2005, at 1:55 PM, Michael H wrote:
> > Well here's the deal, they will also route our data traffic so we will
> > be eventually switching off our current T-1. We are also getting two
> > T-1's for some redundancy since I'm a little nervous.
>
> How much experience do you have with redundant T-1s and failures?
/me jumps in
Lots!
> In general, if you just buy 2 T-1s (even from different vendors, unless
> you pick the vendors VERY carefully), they will be routed across
> the exact same pieces of hardware for most of their lengths. The backhoe
> that goes through one will go through both. The switching hardware
Different wireline carriers are only easy to get in some locales, and are
certainly one of the things folks should look at. Post 9/11 it's getting
more and more difficult to get a look at the fiber maps for an area,
which makes carrier selection more difficult.
For new buildings, I try to do different ingress/egress points too.
> failure
> that kills one may well kill both. It's not uncommon for
I do have to say that I haven't seen that many switch failures in recent
years. It always seems to be a backhoe in an urban area or a span failure
on a pole in the middle of the circuit.
I spent a lot of the last month dealing with red alarms on data and voice
T-1s because the LEC wasn't as interested in fixing things as the CLEC the
customer bought the lines from.
A new data line got sent back to the splicers *twice* (it's great
when the LEC's tech really does want to do it right![1]) before the
circuit was sent to the CLEC. While the CLEC tech was in for acceptance
testing, he noticed the voice Ts doing sporadic alarms, and we had a
redundant data T set go out. For most of last week though, only one of
the data Ts was solid red. That's a first for me, as I usually don't
advise redundant circuits from the same carrier (but I didn't set this
place up.) Not that it's an endorsement for redundant Ts from the same
carrier- I'd still do the ILEC and a competing LEC (and there is one here,
though there wasn't when the circuits went in) if it were up to me.
After a month of escallating, griping and complaining, the LEC seems to
have gotten its act together and fixed the lines.
We've generated one PUC complaint, and about 12 tickets in a 5 month
period, but things are finally right. Of course, late last week there
were issues at the other end of one of the circuits. *sigh*
> 2 different vendors to be re-selling strands of the same cable owned
> by some third party. Even if they are in different cables, they will
> usually be in the same conduit.>
> The really interesting question, however, is "What are the odds your
> phone
> line is in that conduit, too?" Because if that answer is above 75%,
> maybe
> it doesn't matter that your redundant T-1s aren't redundant. In my
> experience,
> redundant T-1s fail together more often than T-1s and phone service, but
I find that a little odd, since phone service is normally just another T-1
from the customer to the same CO. Though I do find that data T-1s fail
more often than voice, generally that's because the voice side recovers
more easily on poor quality lines (that is both fail, but only the data
failure is noticable.) Even small phone switches seem to do pretty well
getting around transient line failures that error data out completely.
> probably not even by a factor of 2, if you buy the T-1s from different
> vendors
> so that the bozos dealing with the software don't cut you off. If you
> buy
> the T-1s from the same vendor, there's no interesting redundancy at all;
> they almost always fail together.
If you're in a major city and you're not doing something that'll go round
a SONET ring, that backhoe's going to get you sooner or later. VoIP may
give you something like FX service, but I think you really have to think,
plan and pay for anything that's going to have serious redundancy.
Paul
[1] The circuit tested "within spec," so he could have just left and
called it done the first time.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment