Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Internet accessible screened subnet - use public
orprivate IPs? (David Lang)
2. Re: Intel vs. special purpose FW-1 servers (David Lang)
3. RE: Intel vs. special purpose FW-1 servers (Keith A. Glass)
4. Re: Intel vs. special purpose FW-1 servers (Marcus J. Ranum)
5. Re: FW: [fw-wiz] VOIP versus PBX (Devdas Bhagat)
6. Re: Discretionary WiFi Access (Josh Welch)
7. Re: Discretionary WiFi Access (Josh Welch)
8. Re: Internet accessible screened subnet - use public orprivate IPs? (Dave Piscitello)
--__--__--
Message: 1
From: David Lang <david.lang@digitalinsight.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: Matt Bazan <Mbazan@onelegal.com>,
firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 18:28:22 -0700 (PDT)
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public
orprivate IPs?
On Thu, 21 Jul 2005, Paul D. Robertson wrote:
> On Fri, 15 Jul 2005, Matt Bazan wrote:
>
>> Is there a preferred method of setting up a Internet facing screened
>> subnet and the use of public or private IP addresses? Looking at
>> redesinging our DMZ to only include public resources (www, smtp, imap,
>> ftp). Presently we use a private IP address range for this that is
>> NAT'ed at our firewall. Any reasons to change this policy to using
>> public IPs in the DMZ? Thanks,
>
> If you're NATing to your internal network, then a rework is necessary-
> public stuff should be on its own (preferably) physical subnet.
>
> IP addressing doesn't matter much, since you'll be letting stuff through
> the most likely exploit vectors anyway.
The thing I've been eharing for years about why NAT is better is that you
may change ISP's and end up with a new set of IP addresses which are
easier to change if you NAT.
this may be true (I've actually never seen anyone acutally DO this), but
you are trading one-time headaches (which I personally believe are no more
severe then all the other changes that you need to make when changing
things, firewalls, DNS, NAT tables, etc) for ongoing overhead (performance
on your NAT device, troubleshooting, bugs in the NAT implementation,
overloading of the NAT tables, etc)
I would definantly have things that server the Internet use public
addresses, once you get behind that layer and have devices that only talk
to internal stuff, then make it all private addresses.
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 2
From: David Lang <david.lang@digitalinsight.com>
To: Emily Conrad <emilydconrad@hotmail.com>
Cc: firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 18:23:45 -0700 (PDT)
Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers
as others have said, find out what your real performance requirements are,
and keep the future in mind.
check the cost of upgrading the 'optiomized' hardware, you may be amazed
at the costs ($1k for 512M of ram for example)
generix x86 hardware is so fast nowdays that I really doubt that you need
the added performance from an 'optimized' version.
there are valid arguments (on both sides) about managing the OS yourself
vs trusting the vendor to do all the OS changes (the appliance approach)
personally I would buy my own hardware and run it myself, there are just
too many times when I want to do just a little something extra on the
firewall that would be trivial to script, but isn't allowed on an
appliance.
David Lang
On Tue, 12 Jul 2005, Emily Conrad wrote:
> Date: Tue, 12 Jul 2005 20:17:59 +0000
> From: Emily Conrad <emilydconrad@hotmail.com>
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Intel vs. special purpose FW-1 servers
>
> Hello,
>
> We are working on a project to upgrade our firewall infrastructure.
>
> One of the questions is whether to use FW-1 on a standard Intel server or to
> use a special-purpose optimized version of FW-1 on a dedicated hardware
> platform such as Nokia firewall appliance or Crossbeam systems C30/X40.
>
> Does anyone have any advice on what factors are important when making such a
> decision?
>
>
> Thanks,
>
> Emily
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 3
From: "Keith A. Glass" <salgak@speakeasy.net>
To: "'David Lang'" <david.lang@digitalinsight.com>,
"'Emily Conrad'" <emilydconrad@hotmail.com>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Intel vs. special purpose FW-1 servers
Date: Thu, 21 Jul 2005 21:57:58 -0400
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of David Lang
Sent: Thursday, July 21, 2005 9:24 PM
To: Emily Conrad
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers
>there are valid arguments (on both sides) about managing the OS yourself
>vs trusting the vendor to do all the OS changes (the appliance approach)
True. If I'm going with a single stand-alone firewall, I'd homebrew it
using commodity gear.
I still lean towards the Nortel/Alteon platform, ***IF*** you're clustering
***and IF*** you're doing a lot of nets or DMZs and don't want to spend all
the remaining budget on high-end switching gear. We do that, plus load
balancing, using 2 Alteon Directors and 2 Alteon Accellerators, and have
configurable switch ports on the Accellerators to spare. We run NG AI R55,
and are starting to experiment with NGX (i.e. R60).
Then again, the PREVIOUS time I'd clustered Checkpoint, it was still V4, and
we had not, at the time, moved up to NG AI, and as such, needed a LOT of
Cisco fiddling to make it work. . .
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.9.2/54 - Release Date: 7/21/2005
--__--__--
Message: 4
Date: Thu, 21 Jul 2005 23:06:26 -0400
To: David Lang <david.lang@digitalinsight.com>,
Emily Conrad <emilydconrad@hotmail.com>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers
Cc: firewall-wizards@honor.icsalabs.com
David Lang wrote:
>as others have said, find out what your real performance requirements are, and keep the future in mind.
I'd like to comment on the "future" issue. Keep it in mind, but don't waste
your money on extra capacity. The cost of capacity will drop and technology
will track the growth in capacity over time. Buying something that has a
future is pointless for 3 reasons:
- The future will be different than you think it will be
- The company you buy a "future proof" product only has a 50/50 chance of
having a future, itself
- The future will be cheaper than the present - and in the VERY RARE case
where it's not the same thing that makes it more expensive will also
make your capacity upgrade more expensive so it'll be irrelevant
With technology today I recommend (in general) never buying maintenance
and expecting to turn a product over ever year or 2 - or keep it indefinitely
as long as it works. I tend to do scorched-earth hard disk upgrades every
2 years (yay, digital photography) but I am still using Office '95 and it runs
just great on my 2Ghz machine.
So, yes, think about the future - but think about it from the standpoint
of "most of this stuff DOESN'T HAVE A FUTURE."
mjr.
--__--__--
Message: 5
Date: Fri, 22 Jul 2005 13:42:58 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: FW: [fw-wiz] VOIP versus PBX
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 21/07/05 13:31 -0700, Roelof JT Jonkman wrote:
> Yehuda,
>
> This is a bit of an opinion piece, but never the less may give some insight:
>
> I'm a bit surprised that VOIP is getting so much traction. First thing
Actually, if you look past the residential market, the major place where
VoIP will gain is in international calls. Instead of being billed by the
minute, VoIP at both ends makes it feasible to have much cheaper
conversations. As the percentage of outsourcing increases, international
voice traffic will become more commonly used, and VoIP provides large
cost benefits there. And when you are implementing a VoIP backbone
anyway, you might as well save on the PBX and go all VoIP.
How much does your business depend on email, BTW?
Devdas Bhagat
--__--__--
Message: 6
Date: Fri, 22 Jul 2005 07:54:19 -0500
From: Josh Welch <jwelch@buffalowildwings.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Paul D. Robertson wrote:
> On Fri, 8 Jul 2005, Josh Welch wrote:
>
>
>>I have setup an access point outside of our firewall for this express
>>purpose. It is wide open and I simply monitor port usage to keep an eye
>>out for any abuse, it hasn't been an issue so far.
>
>
> Isn't this kind of SBCYF[1]?
>
> Paul
> [1] Security by crossing your fingers.
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
>
Maybe, but I don't see it that way.
The access point is outside of our firewall, which keeps it away from
things inside my network. I monitor port usage for odd usage patterns,
which helps prevent the misuage of the access point. I've checked around
the building for the signal, I haven't been able to pick it up from
outside the building, which is not to say it can't be done but it can't
be done easily.
Is it perfect, no. But I prefer to think of it as doing the best I can
with the resources available to me.
Josh
--__--__--
Message: 7
Date: Fri, 22 Jul 2005 07:56:58 -0500
From: Josh Welch <jwelch@buffalowildwings.com>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Jim Seymour wrote:
> "Paul D. Robertson" <paul@compuwar.net> wrote:
>
>>On Fri, 8 Jul 2005, Josh Welch wrote:
>>
>>
>>>I have setup an access point outside of our firewall for this express
>>>purpose. It is wide open and I simply monitor port usage to keep an eye
>>>out for any abuse, it hasn't been an issue so far.
>>
>>Isn't this kind of SBCYF[1]?
>
>
> "Kind of?" ;)
>
> Another thing, which I haven't seen discussed: It seems probable that
> the access in question would naturally be less restricted than what's
> normally allowed by ones corporate firewall, yeah? (Well, unless one
> has killed their firewall [1] ;).) E.g.: Perhaps SMTP, POP3, IMAP, Net
> Meeting (*barf*), etc., unfiltered. You'll want some way to keep
> employees with wireless capability from accessing your insecure
> courtesy WLAN--particularly whilst they're connected to your secured
> LAN (router, anybody?).
Now this is a much more interesting argument to me. One which I will
take up with my management. I'm a bit annoyed that this one didn't occur
to me in the first place.
Thanks,
Josh
--__--__--
Message: 8
From: "Dave Piscitello" <dave@corecom.com>
To: David Lang <david.lang@digitalinsight.com>
Date: Fri, 22 Jul 2005 09:33:23 -0400
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?
Reply-To: dave@corecom.com
Cc: firewall-wizards@honor.icsalabs.com
Isn't this a question of whether you want to route or NAT?
A server that is Internet-facing has to have (or be reachable via) a
public IP. If your ISP changes your block of public IP addresses, you
have to change:
1) the mapping between your private IP addresses and the new public
IP addresses (the static or 1:1 NAT case) or
2) the IP addresses of all the servers, the IPs of the trusted and
external interfaces on the firewall, and the routing table (or
routing protocol configuration)
(2) seems like a whole lot more work to me.
On 21 Jul 2005 at 18:28, David Lang wrote:
> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
>
> > On Fri, 15 Jul 2005, Matt Bazan wrote:
> >
> >> Is there a preferred method of setting up a Internet facing
> >> screened subnet and the use of public or private IP addresses?
> >> Looking at redesinging our DMZ to only include public resources
> >> (www, smtp, imap, ftp). Presently we use a private IP address
> >> range for this that is NAT'ed at our firewall. Any reasons to
> >> change this policy to using public IPs in the DMZ? Thanks,
> >
> > If you're NATing to your internal network, then a rework is
> > necessary- public stuff should be on its own (preferably) physical
> > subnet.
> >
> > IP addressing doesn't matter much, since you'll be letting stuff
> > through the most likely exploit vectors anyway.
>
> The thing I've been eharing for years about why NAT is better is that
> you may change ISP's and end up with a new set of IP addresses which
> are easier to change if you NAT.
>
> this may be true (I've actually never seen anyone acutally DO this),
> but you are trading one-time headaches (which I personally believe are
> no more severe then all the other changes that you need to make when
> changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
> (performance on your NAT device, troubleshooting, bugs in the NAT
> implementation, overloading of the NAT tables, etc)
>
> I would definantly have things that server the Internet use public
> addresses, once you get behind that layer and have devices that only
> talk to internal stuff, then make it all private addresses.
>
> David Lang
>
>
>
>
>
> --
> There are two ways of constructing a software design. One way is to
> make it so simple that there are obviously no deficiencies. And the
> other way is to make it so complicated that there are no obvious
> deficiencies.
> -- C.A.R. Hoare
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment