Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: Arch questions (Paul Melson)
2. Re: Filtering proxy for HTTP POST requests (Devdas Bhagat)
--__--__--
Message: 1
From: "Paul Melson" <pmelson@gmail.com>
To: "'Mike LeBlanc'" <mlinfosec@comcast.net>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Arch questions
Date: Fri, 12 Aug 2005 10:35:46 -0400
-----Original Message-----
> Subject: [fw-wiz] Arch questions
>
> All,
> I am currently planning a move (bring an oursourced hosting overseas to
the US). The
> basics are as follows
>
> inet rtr -->segment-->fw--->BIG IP--->IPS---->web
>
> The questions I have are:
> 1/ Someone has recently mentioned the idea of using private adressing
bewteen the inet > rtr and the firewall, with public adressing on the web.
What are the pros and cons?
Did that person mention the specific benefit of using RFC1918 addresses
outside the firewall? Was that person wearing a Cisco shirt? :)
Seriously, the pro is that it makes this network, at least in theory and
common practice, unroutable to the wider Internet. Your firewall's external
interface can't be easily portscanned, etc. The con is that you're
hardening your network by breaking it. I don't see an advantage to doing
this over using access-lists on the border router to prevent this same type
of traffic. And the thing about access-lists is that you can create
exceptions without having to readdress things or mess with routing. It's
also easier to troubleshoot.
> 2/ I was under the impression that we used NAT to "hide" the webserver for
protection
> (obsfucation) as well as the fw rules to protect it. Comments?
NAT is *not* an access control mechanism.
There are things you can do with it that break basic IP routing that create
an additional layer of obscurity. (For instance, using port redirection
instead of static NAT makes it less likely that an attacker that can bypass
the firewall's rules can still route traffic to anything other than the
services you've published.) Of course, that same obscurity can be a problem
for you when it comes to troubleshooting. I'm starting to sense a theme
here.
I say stick to what you know and are comfortable with. That will probably
be 'more secure' because of your understanding of the environment - the
logical conclusion being that your understanding leads to accurate risk
assessment and appropriate layering of access controls within the
environment.
> 3/ My research shows I need to have specfic certs (Apache and one other)
for
> *each* webserver behind the Big IP.
> Anyone have any experience with F5 Big ip 1500s?
It's my understanding that you can offload the SSL connections to the Big IP
appliances. This gives you a number of advantages.
First, you only need one SSL certificate per unique site hosted on the
switch. This also makes adding servers to the site easier since they're not
unique. (Of course, if they need to be uniquely authenticated via
certificate, that's another story, but for
"I've-encrypted-our-session-with-a-cert-signed-by-a-disinterested-and-ignora
nt-public-CA-so-people-won't-sniff-your-credit-card" e-commerce, it's just
fine. :)
Second, you can place your IDS/IPS between the load balancer and the web
servers and see all web app traffic without the encrypted 'blind spot.'
Good luck with your move!
PaulM
PS - Can I trade consulting services for an upgrade to 6MB cable? :)
--__--__--
Message: 2
Date: Fri, 12 Aug 2005 20:13:02 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Filtering proxy for HTTP POST requests
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 08/08/05 22:14 +0530, Devdas Bhagat wrote:
> Does anyone have suggestions/recommendations for a HTTP proxy (cheap/free)
> which can filter based on content. Preferably something capable of
> Bayesian analysis of content? It needs to work in ISP environments, so
> transparent proxy support would be ideal.
>
> Traffic to be filtered is outbound from the browser to the server.
Apparently, I was not clear enough in my requirement. I work at $BIG
email service provider, and we have the usual infestations of scammers.
While _we_ do try and block stuff, most of our work is reactive.
We are working with the ISPs from where this stuff tends to originate
and I was looking for something which would be able to filter on
specific content in the POST request.
Ideally, I would like to be able to plug in SpamAssassin as a content
filter into the HTTP proxy. If there is no such proxy yet, I guess I
shall have to code it myself in my copious spare time.
Devdas Bhagat
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment