Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PIX firewall licensing and beyond (newbie) (Ryan Steinmetz)
2. Re: PIX firewall licensing and beyond (newbie) (Victor Williams)
3. RE: PIX firewall licensing and beyond (newbie) (Paul Melson)
4. RE: Cisco Remote Access VPN Problem (Paul Melson)
5. Re: PIX firewall licensing and beyond (newbie) (David Lang)
6. Re: stopping bots from phoning home (mason@schmitt.ca)
7. The home user problem returns (mason@schmitt.ca)
--__--__--
Message: 1
Date: Wed, 7 Sep 2005 11:33:45 -0400
From: Ryan Steinmetz <rpsfa@rit.edu>
To: Vahid Pazirandeh <vpaziran@yahoo.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] PIX firewall licensing and beyond (newbie)
On (09/05/05 20:40), Vahid Pazirandeh wrote:
> Hello everyone,
>
> I come from a linux admin background and have an assignment to setup a pix
> firewall. This is new territory and will be my first time playing with pix os
> instead of iptables. Please excuse my newb questions, but we all start
> somewhere. :-)
>
> 1. Which model? Our servers are in a co-location with a 100mbit drop. Would
> that make the 515E the right choice if we actually want to make use of our
> bandwith? The pix becomes the bottleneck?
The 515E should suffice, it is capable of handling about 180mbit of traffic.
>
> 2. I'm a little uneasy about the licensing. What are the typical features I
> should make sure that are included (e.g., 3DES)? What should I watch out for.
3DES/AES licenses are free from cisco.com. Details about the licensing options are available at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html
It breaks down to either a Restricted (R) license or an Unrestricted (UR) license.
There is also a seperate license for Failover units (see above URL).
The Restricted license is limited to 3 physical ports and a maximum of 5 ports (via an 802.1q trunk).
In order to add more ports, you will need the UR license.
>
> 3. I read somewhere that vlan support is only in pix os 6.3. Is vlan support
> also based on which model I'm using, or do all pix firewall models have this
> feature?
All PIXs running 6.3 or above that are equal to or higher in model than the 515 will support 802.1q trunks.
>
> 4. How many physical ports do the pix firewalls typically come with? It seems
> like it's 2: one uplink, one downlink. I can already think of 3 security
> levels that I want my servers separated into. Does that mean I have to buy
> expansion slots? Or should I use VLANs instead?
There are 2 restricted bundles available, one has 3 ports, the other has 2.
The PIX has 2 expansion slots, one of which would be in use if you purchased the model with 3 ports.
You could use VLANs, the only thing you need to keep in mind is that the interface itself is still limited to 100mbit.
>
> 5. Any recommendations on a location to order the pix firewall and licensing
> from? Good deals, good support, etc.
CDW (www.cdw.com) is always a safe bet, however, you may be able to find it cheaper elsewhere.
Support is typicall handled through Cisco via a SMARTnet contract (which is also available from the place you choose to buy the PIX from).
>
> 6. Any recommendations on some online reading that will help with implementing
> the pix firewall? It would help to see some example network layouts to get a
> better idea of how the components should be pieced together.
Cisco's documentation can be helpful. Check out their website at www.cisco.com
>
> Here are a few places that I've already scoped out:
> http://www.netcraftsmen.net/welcher/papers/pix01.html (also:
> pix02-pix04.html)
> http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1
>
> Your guidance would be very helpful. Thanks for a great mail list!
>
> A PIX student in training,
> -Vahid
>
> =============================================
> "Make it better before you make it faster."
> =============================================
>
>
>
>
> ______________________________________________________
> Click here to donate to the Hurricane Katrina relief effort.
> http://store.yahoo.com/redcross-donate3/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--
Ryan Steinmetz
Systems Administrator
Finance & Administration
Systems & Technology
Rochester Institute of Technology
585.475.5663
--__--__--
Message: 2
Date: Wed, 07 Sep 2005 10:48:58 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
To: Vahid Pazirandeh <vpaziran@yahoo.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] PIX firewall licensing and beyond (newbie)
1. This depends on your expected traffic. Are you serving stuff on the
internet? Or are you trying to separate two networks that really
shouldn't see each other on the same LAN? I've never had performance
issues with a PIX 515 or higher, but then I've never had more than 10
meg of available bandwidth on it's outside (internet-facing) interface.
Your mileage is going to vary based on your application.
2. It's not the licensing really. You need to check out cisco.com and
see which package of which firewalls are available. Cisco sells the
same units, with the same software on all of them. Your activation keys
are what limit what you can do with them. I never run lower than PIX
515E unrestricted packages. Restricted licences limit the functionality
of the unit. Unrestricted licenses basically let you do what you want,
with the confines of the unit only being limited by it's throughput and
other such factors.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_models_home.html
3. 6.3 and forward. PIX OS is up to 7.0(2) now. All of the PIX
firewalls support vlans to an extent except the PIX 501 I believe.
Again, check Cisco's website from above.
4. Depends on the package. Consult point 2 for the link.
5. www.cdw.com is the cheapest that I've found hands down. When you
buy support, you buy them from Cisco. So, if something goes wrong, you
will be calling Cisco, not CDW. That's how it works.
6. I suggest reading any/all sections of the Cisco website pertaining
to the PIX firewalls...since it is their product.
Additionally, www.tek-tips.com has a section dedicated to PIX firewall
setup. However, I would read Cisco's website first and foremost. They
have over 100 articles just in their configuration and setup section
that will tell you how to do lots of simple as well as advanced things.
Cisco is very good about supporting their product. If you cannot find
configurations on their website and you have a support contract, if you
call them, they will walk you through whatever you want to do, and worst
case, they will get remote access to your environment and do it for you.
I've never had them on the phone and they not solve whatever issue I
have...but I've only ever needed to call them maybe 3-4 times.
Vahid Pazirandeh wrote:
> Hello everyone,
>
> I come from a linux admin background and have an assignment to setup a pix
> firewall. This is new territory and will be my first time playing with pix os
> instead of iptables. Please excuse my newb questions, but we all start
> somewhere. :-)
>
> 1. Which model? Our servers are in a co-location with a 100mbit drop. Would
> that make the 515E the right choice if we actually want to make use of our
> bandwith? The pix becomes the bottleneck?
>
> 2. I'm a little uneasy about the licensing. What are the typical features I
> should make sure that are included (e.g., 3DES)? What should I watch out for.
>
> 3. I read somewhere that vlan support is only in pix os 6.3. Is vlan support
> also based on which model I'm using, or do all pix firewall models have this
> feature?
>
> 4. How many physical ports do the pix firewalls typically come with? It seems
> like it's 2: one uplink, one downlink. I can already think of 3 security
> levels that I want my servers separated into. Does that mean I have to buy
> expansion slots? Or should I use VLANs instead?
>
> 5. Any recommendations on a location to order the pix firewall and licensing
> from? Good deals, good support, etc.
>
> 6. Any recommendations on some online reading that will help with implementing
> the pix firewall? It would help to see some example network layouts to get a
> better idea of how the components should be pieced together.
>
> Here are a few places that I've already scoped out:
> http://www.netcraftsmen.net/welcher/papers/pix01.html (also:
> pix02-pix04.html)
> http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1
>
> Your guidance would be very helpful. Thanks for a great mail list!
>
> A PIX student in training,
> -Vahid
>
> =============================================
> "Make it better before you make it faster."
> =============================================
>
>
>
>
> ______________________________________________________
> Click here to donate to the Hurricane Katrina relief effort.
> http://store.yahoo.com/redcross-donate3/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
Message: 3
From: "Paul Melson" <pmelson@gmail.com>
To: "'Vahid Pazirandeh'" <vpaziran@yahoo.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] PIX firewall licensing and beyond (newbie)
Date: Wed, 7 Sep 2005 13:49:35 -0400
1. That depends on how much bandwidth you'll actually use and what you're
doing with the PIX. If, for example, the actual pipe is a frac T3 burstable
to 45Mbps and your servers are going to pass primarily TCP traffic across
the PIX, a 515E is a fine choice. Want to do large volume VPN tunnels or
use the full 100Mb link for sustained periods, you may be looking for
something bigger.
2. There's no more licensing for 3DES/AES. Any PIX can get a key free from
Cisco, and anything you buy new should come with it. The big choice you're
looking at is R-BUN vs. UR-BUN. If you only need 2-3 interfaces, are just
sticking tens of servers behind it (and not an office full of users), and
don't need fail-over, then the R-BUN is perfect for you. Otherwise, UR-BUN.
3. Nope. PIX OS is PIX OS no matter the model. (unless it's 7.x)
4. Depends on the model, but the 515E comes with at least 2 ports but can be
configured for 3, 4, or 6 interfaces as well. You buy either 1-port (1FE)
cards, or a 4-port card (4-FE). Remember that 4 or 6 interfaces requires a
UR license.
5. I probably shouldn't give VAR/reseller names on-list. But at the end of
the day, everybody that resells Cisco is subject to the same availability
issues and delivers the same products. And if the only support you buy is
Cisco SmartNet, then you get all of your support from them also. Shop on
price is my advice. Or call Cisco. If it's a big enough order (a handful
of 515E's won't qualify), they'll gladly hand over the lead to a channel
partner who's going to get stuck with a tiny margin because Cisco brought
them the lead and wants the sale. This works especially well if it's a
scenario where the Cisco products are up against another competitor (like
Juniper or Symantec). :-)
6. Cisco's website is actually pretty good as a support/reference resource.
Better than most. Also, this list's archives. And before you get too far
into your new firewall, I recommend:
http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html
If nothing else it's a good introduction to the PIX paradigm, if you will.
PaulM
-----Original Message-----
Subject: [fw-wiz] PIX firewall licensing and beyond (newbie)
I come from a linux admin background and have an assignment to setup a pix
firewall. This is new territory and will be my first time playing with pix
os instead of iptables. Please excuse my newb questions, but we all start
somewhere. :-)
1. Which model? Our servers are in a co-location with a 100mbit drop.
Would that make the 515E the right choice if we actually want to make use of
our bandwith? The pix becomes the bottleneck?
2. I'm a little uneasy about the licensing. What are the typical features I
should make sure that are included (e.g., 3DES)? What should I watch out
for.
3. I read somewhere that vlan support is only in pix os 6.3. Is vlan
support also based on which model I'm using, or do all pix firewall models
have this feature?
4. How many physical ports do the pix firewalls typically come with? It
seems like it's 2: one uplink, one downlink. I can already think of 3
security levels that I want my servers separated into. Does that mean I
have to buy expansion slots? Or should I use VLANs instead?
5. Any recommendations on a location to order the pix firewall and licensing
from? Good deals, good support, etc.
6. Any recommendations on some online reading that will help with
implementing the pix firewall? It would help to see some example network
layouts to get a better idea of how the components should be pieced
together.
--__--__--
Message: 4
From: "Paul Melson" <pmelson@gmail.com>
To: "'Firewall-Wizards'" <Firewall-Wizards@govnet.gov.fj>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Cisco Remote Access VPN Problem
Date: Wed, 7 Sep 2005 14:21:42 -0400
Static arp entries using the arp command won't help. Enabling proxy-arp on
FE0/1 might.
PaulM
-----Original Message-----
Subject: [fw-wiz] Cisco Remote Access VPN Problem
Hi Folks
I can get the tunnel successfully established ,the client successfully
authenticated with RADIUS, SA's formed and virtual ips (from the dmz)
assigned to the remote vpn client. There's static routes present on the 2600
to route internal network traffic to the dmz gateway (ie. fw) which
subsequently has rules to route these vpn traffic inside the internal
network.
...
As a workaround, i tried putting in some static arp entries on the fw , for
these virtual ips to point to physical dmz interface of the vpn device The
ensuring result was that return traffic made it way back to the vpn device,
but then couldn't get to the actual vpn client :-(
--__--__--
Message: 5
From: David Lang <david.lang@digitalinsight.com>
To: Victor Williams <vbwilliams@neb.rr.com>
Cc: Vahid Pazirandeh <vpaziran@yahoo.com>,
firewall-wizards@honor.icsalabs.com
Date: Wed, 7 Sep 2005 18:43:51 -0700 (PDT)
Subject: Re: [fw-wiz] PIX firewall licensing and beyond (newbie)
> Vahid Pazirandeh wrote:
>> Hello everyone,
>>
>> I come from a linux admin background and have an assignment to setup a pix
>> firewall. This is new territory and will be my first time playing with pix
>> os
>> instead of iptables. Please excuse my newb questions, but we all start
>> somewhere. :-)
I'm just having to deal with pix firewalls again after ~5 years of linux
boxes, boy do I wish I could just use linux (it does what I tell it to
do, not what it assumes I want to do ;-)
I would say definantly run with the OS at version 7, especially if you
don't nessasarily want the NAT configuration that they assume that you
will, it's an incredible pain to disable on lower revs.
>> 1. Which model? Our servers are in a co-location with a 100mbit drop.
>> Would
>> that make the 515E the right choice if we actually want to make use of our
>> bandwith? The pix becomes the bottleneck?
note that the network cards are plugged into 32 bit PCI slots on the 515
and 525 which limits it's total I/O to ~330Mb, but this is the combined
inbound and outbound traffic so I would take the rateing of a 515 at 180Mb
with a very large dose of salt (the 525 is rated at 300Mb, which given the
PCI limits would be ~150Mb in one interface and ~150Mb out a second
interface)
I don't know what the 535 boxes have for true I/O capacity, but they start
to get _really_ expensive.
>> 4. How many physical ports do the pix firewalls typically come with? It
>> seems
>> like it's 2: one uplink, one downlink. I can already think of 3 security
>> levels that I want my servers separated into. Does that mean I have to buy
>> expansion slots? Or should I use VLANs instead?
they do sell a quad 100Mb card for these machines, but watch the total
throughput.
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 6
Date: Wed, 7 Sep 2005 19:18:11 -0700 (PDT)
Subject: Re: [fw-wiz] stopping bots from phoning home
From: mason@schmitt.ca
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: firewall-wizards@honor.icsalabs.com
Paul,
Thanks for your suggestions.
While responding to your comments, it got me thinking. So, I've decided
to share some of my other ideas for dealing with the problem of home
computer security from the perspective of an ISP.
There hasn't been a good constructive thread concerning the home user
problem in a while, so hopefully my follow up email to this one will spark
some interest.
<snip>
> Like the last time this surfaced, I'd recommend offering the customers a
> default deny option and see how many bite- if you can do per-user rules
> (and I don't know what sort of scale you're talking about- MSOs come in
> all sizes.) then you may get them to agree to it- I think the time is
> right for that.
>
It was a good suggestion then and it's a good one now, but my boss has
said that despite the obvious technical merit, he's not going for it.
He's concerned about an increase in support costs and negative customer
experiences with people phoning in that forget/don't understand the
repercussions of their choice. Or worse, leave us for the competition
without even phoning us, because they decide to use some new app that they
just downloaded and find that it doesn't work and their friend down the
street says, well it works fine on my dsl connection!
As well, the majority of support calls that we receive are from the very
people that need the protection most, but their use of the internet would
preclude a default deny ruleset on their modem. The kids are on IM and
playing online games at all hours, the whole family participates in p2p
filesharing and the fact that their computers are loaded to the gills with
spyware suggests that they are spending time visiting the somewhat less
savoury places on the net. The parents in these situations are most often
not very technically savvy and many don't really understand or supervise
what their kids are doing online.
> If you can get your customers to use an IRC proxy, great- it might be sort
> of interesting to look at doing a transparent proxy and just sending up a
> screen that asks for a specific response prior to continuing the
> connection- I'd be *really* interested in your results though, espeically
> with the newer IM clients that do IRC.
>
I have given this some thought and talked it over with others here and we
think that your variation on the original idea is an improvement. Largely
due to the fact that popular IM clients, such as Trillian, that kind of
support IRC, wouldn't allow for authentication and some servers have a
limit on the number of connections from a single IP. So, rather than run
all connections through a proxy, we thought that perhaps we could just
watch for IRC connections to be established (really easy with the
packetshaper and doesn't require sniffing). When we see a connection
established, have a bot kick off that logs onto the server the connection
was made to and initiate a direct chat request to the user that just
logged on. The bot would ask a question and if it didn't get a response,
it would block IRC traffic for that IP and send an email to our ticket
system so that we know who is infected.
There's probably a less convoluted way of approaching this (if you have
one, let me know), but this is doable without having to do much
programming.
The big question is, whether it's worth the effort or not. I'm not sure.
It increases the complexity of our network while only focusing on the
current fad in spyware/trojans/bots (what do we call these things now?) of
using IRC. Currently there are bots (settled on bots), that once on the
host, will talk over http, p2p, or IM in order to get their instructions.
IRC is the current dominant method, but not the only one.
I'm more inclined to take a broader proactive approach, but could use some
guidance concerning some of my current half thought out ideas. I'll send
these ideas along in my next email.
> You know, if we could get rid of the home user problem, all our lives
> would get easier...
>
Then there wouldn't be an internet and that would suck. But, I know what
you mean...
> Personal firewalls that block outbound connections are a good thing- you
> might want to see if your marketing folks can do something akin to the
> AOL and DSL provier firewall packages- marketing always has money that
> techs don't...
Ha! You wouldn't believe the support problems that we have with people
that choose to install firewalls that ask them to make choices. I think
that having a firewall on the box that can see which program is trying to
connect is great! ...if there is a person interacting with it that
understands some basics. When the person using the computer has no idea
what the little pop ups are talking about and doesn't really want to know,
they just blindly click ok, because clicking ok means that they are more
secure right? We have had plenty of support calls where the customer is
angry that our mail server is down... when in reality, they clicked ok
when the window asked if they wanted to block pop3...
We do what we can to help out these people and sometimes that means having
them bring their pc in so that we can get a look at it. Often we tell
them that they would be better off with a common home firewall. The crazy
thing is that I know that many of the large ISPs (not sure if I should
name names or not) have it as part of their level1 tech support flow chart
to ask the customer to disable the firewall and leave it like that! That
really chaps my ass. If these big ISPs weren't so careless, I wouldn't
have so many problems... nor would the rest of the net for that matter.
Oh well, finger pointing isn't going to get me anywhere.
--
Mason
--__--__--
Message: 7
Date: Wed, 7 Sep 2005 19:34:54 -0700 (PDT)
From: mason@schmitt.ca
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] The home user problem returns
Hi. Just sent my reply to "bots phoning home" and here's the follow up
email that I promised.
As an admin for an ISP, I'm pretty much stuck with default allow (for the
time being anyway). Therefore, I've resigned myself to the fact and am
now trying to work within that constraint (odd that default allow is a
constraint...). Here are some ideas (probaly not mine, but I'd like to
think they are) that I'm working on to help with the "home user problem".
I sure hope this gets someone's juices flowing as I'd like to participate
in a discussion on this.
Idea 1
--------
Most ISPs around here now advertise bit caps, but most don't strictly
enforce them. The common practice is to contact the top 10 each month and
"educate them" concerning their usage. If the same customer shows up on
that list repeatedly, most ISPs reserve the right to deny service to that
customer.
I was thinking of taking a similar approach and setting up OSSIM
(http://www.ossim.net/whatis.php#h2:whatis) on our network and using it to
identify our top ten least secure hosts (perhaps more often than once a
month...). When we call these people, rather than wield our mighty
clue-by-four, we approach it with the understanding that most of these
people don't have a clue about this stuff. This hopefully allows us to
get our message out to receptive ears:
There are 4 things that must be in place to provide a base level of
security for the home user. Firewall, windows updates, up to date
antivirus that is configured for automatic updates, and a anti-spyware
app also configured for automatic updates.
And if the customer is actually concerned about their own data - backups.
We
can
point
them
to
some
very
straight
forward
info
about
these
topics
online
and
tell
them
where
to
find
half
decent
free
tools
if
they
are
unwilling
to
purchase
software.
All
of
this
doesn't
require
the
customer
to
really
change
all
that
much,
so
we
also
offer
them
some
resources
for
learning
about
online
safety
and
security.
The
hope
is
that
by
regularly
interacting
with
our
customers,
people
will
talk
to
each
other.
We
do
service
small
towns,
so
people
do
talk
to
each
other
here.
Finally,
if
the
customer
continues
to
get
infected
and
doesn't
seem
to
be
making
any
effort
to
improve
the
situation,
we
reserve
the
right
to
ask
them
to
go
to
a
different
provider.
I
think
this
should
be
good
for
business,
good
for
our
network
and
for
raising
the
common
level
of
clue.
The
best
thing
is
that
my
boss
agrees.
Idea 2
--------
In a similar customer education vein, is our plan to do an event. We are
going to advertise it like crazy and see if we can get people to come out
to a free-food,-literature-and-freebies-available kind of thing. At this
event, I plan to do a few sessions throughout the day on some basic
security topics directed at very low tech home users. I want to
specifically talk about online banking and online shopping; tell people
about spyware, how it gets on their computers, and what they can do to
prevent it; and talk to parents about online safety for kids. If there
are any firewall wizards (or someone you know) in our area (Interior of
British Columbia) that might be intersted in coming out to spread some
wisdom at such an event, I'd love to hear from you.
Idea 3
--------
Getting away from people oriented approaches now. I'm planning to setup a
"leper colony" (kudos to whomever coined that term. I also hope I'm not
offending anyone...). The idea is simply to quarantine obviously infected
machines from the rest of our network, and preferably from other members
of the colony as well. Upon being shoved into the colony, all attempts at
viewing web pages will take the customer to a web page telling them what's
wrong and what can be done to fix it. They will also receive an email
from our ticket system. The webpage the customer is directed to will
include a list of sites that they can go to, to do online scans for
viruses and spyware (they will be allowed to go to these sites - just not
the rest of the net) and the same links to more info that I mentioned in
idea 1. Once the customer is sure they are clean, they can just click on
a link on the page to let them out of the colony.
We
already
have
the
ability,
via
an
automated
system
we
have
built,
to
place
customers
into
such
a
colony.
What
remains
is
for
me
to
have
events
on
the
network trigger the move to the colony - this should be reasonably
straight forward. I'm going to use our packetshaper to watch for high
numbers of
failed flows which 100% of the time signifies a worm, also use the shaper
to catch open socks proxies. The shaper will just send an snmp trap on
these
events. I'd like to extend this by also getting an IDS in place.
Finally, as part of my current outbound mail hardening project, I'll also
be able to trigger events immediately upon seeing spam from a spam
zombie - even if the zombie is attempting to relay through our smarthost
as opposed to the usual direct-to-mx spam zombie activity.
I have some other ideas too, but that's about all I'm willing to bite of
for the next several months.
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment