firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. ASA 5520 AIP-SSM 20 (Pablo Perez)
2. Pix 515E - Memory Upgrade (J Alexander)
3. Query: NMAP SCAN of Priveleged Ports on a DLINK G624T
(william fitzgerald)
4. Re: Cisco ASA and FWSM (nick.nauwelaerts@thomson.com)
5. Re: Pix 515E - Memory Upgrade (Paul Melson)
6. Re: Pix 515E - Memory Upgrade (vbwilliams@neb.rr.com)
7. Re: Cisco ASA and FWSM (Chuck Swiger)
----------------------------------------------------------------------
Message: 1
Date: Wed, 9 May 2007 14:36:19 -0300
From: Pablo Perez<pablo.perez.arg@gmail.com>
Subject: [fw-wiz] ASA 5520 AIP-SSM 20
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000501c79260$92786d30$7d14010a@LA.LOGICALIS.COM>
Content-Type: text/plain; charset="us-ascii"
Hi guys, i have an ASA 5520 with the AIP-SSM 20 module, and it's version is
5.1(1)S205.
Can anyone tell me how is the migration path to upgrade from this version to
the lates 5.X version and the S284 signature?
Thanks in advance!
Pablo
------------------------------
Message: 2
Date: Tue, 8 May 2007 16:31:45 -0400
From: "J Alexander" <jlalexander@gmail.com>
Subject: [fw-wiz] Pix 515E - Memory Upgrade
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<aede13550705081331r1fdeacf2hc367df75c7bf3560@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I'm hoping there's an easier way than opening up the PIX to determine if
both memory slots are used. I need to upgrade to 128M. It currently has
64M. Does anyone know if there is a command that will show how many MB each
slot contains or something similar? Current version is 6.3(5), UR with
Failover
TIA!
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070508/cc51054b/attachment-0001.html
------------------------------
Message: 3
Date: Tue, 08 May 2007 13:19:31 +0100
From: william fitzgerald <wfitzgerald@tssg.org>
Subject: [fw-wiz] Query: NMAP SCAN of Priveleged Ports on a DLINK
G624T
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <46406AD3.7000204@tssg.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Dear Firewall Guru's,
My network is protected by a DLINK G624T broadband router (Budget
constraints). Default policy is to DENY incoming, ACCEPT outgoing and I
have firewall features to stop DoS and spoofing enabled on firewall.
Note: in this email i refer also to Small Business Server as extra
information to my NMAP scan and possibly its role in running unwanted
services.
QUESTION:
Am I open to exploits? What does it mean to be "filtered"? See below for
details.
NETORK TOPOLOGY:
+++++++++++++++
SOHO DLINK-G624T ADSL (4-port router and firewall) ---> external SBS NIC
1 -----> internal SBS NIC 2 ------> two PC's
Note: no port forwarding from DLINK to SBS external IP set up for
external network access.
NMAP SCAN:
++++++
I ran an external nmap scan (from another network) on my networks public
static IP address for ports 0 to 1025 and the results where as follows:
nmap -sT -p 0-1025 -PT MYIPAddress
Interesting ports on MYIPAddress.ISPProviderDomain (MYIPAddress):
Not shown: 1014 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
80/tcp filtered http
110/tcp filtered pop3
119/tcp filtered nntp
443/tcp filtered https
465/tcp filtered smtps
500/tcp filtered isakmp
501/tcp filtered stmf
873/tcp filtered rsync
993/tcp filtered imaps
995/tcp filtered pop3s
Nmap finished: 1 IP address (1 host up) scanned in 13.582 seconds
NMAP QUESTION:
Am I open to exploits? What does it mean to be "filtered"? Are these
nmap guesses that certain ports may be used or open?
ASIDE:
DLINK has firewall capabilities but i wonder if i can add to the
security of this by activating possibly an inbuilt firewall on the SBS
standard server?
MY CONCERN:
++++++++++
I do not run for example the insecure telnet or in fact any of these
nmap detected services publicly/remotely (nor internally that i am aware
of). I don't even use SBS as a mail server at the moment. Both client
PC's fetch email directly into thunderbird clients from the external web
and mail hosting provider.
SBS was given the 2 DNS ip addresses from broadband service provider.
SBS is not a DNS server, its more a relay i guess for client requests.
So I wonder does SBS standard edition by default run these services even
though they are not needed?
The DLINK G624T has a firewall policy of DENY all incoming and ACCEPT
all outgoing. Hence, I wonder does SBS say, i want to run services XYZ
and the the firewall says "ok, i'll open these ports as SBS is trusted
and is internal to the network"?
Note: that both PC clients also run Skype. Maybe i should not run Skype!
Any comments welcomed.
regards,
Will.
------------------------------
Message: 4
Date: Fri, 4 May 2007 15:42:25 +0200
From: <nick.nauwelaerts@thomson.com>
Subject: Re: [fw-wiz] Cisco ASA and FWSM
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<3D28EBDA36A6E6469582A86D3B5B639C01993FD5@tlrbeantmbx02.ERF.THOMSON.COM>
Content-Type: text/plain; charset="US-ASCII"
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.cybertrust.com
> [mailto:firewall-wizards-bounces@listserv.cybertrust.com] On
> Behalf Of Timo Schoeler
> Sent: Monday, April 30, 2007 15:35
> To: Firewall Wizards Security Mailing List
> Cc: drsharp@pacbell.net
> Subject: Re: [fw-wiz] Cisco ASA and FWSM
> >
> > ASA top model supports (8) gig interfaces, but ether channel
> > still does not appear to be supported. Not a big deal as the top ASA
> > only supports up to 1.2gbs throughput.
>
> yeah, and for the ASA-5520 (e.g.) they share one single interrupt.
> worst hardware design ever.
Why would that be? Sharing interrupts will result in less context
switches. Different interrupts will result in a context switch for each
interrupt, while shared interrupts can handle multiple interrupts can be
handled in the same context switch. And running their drivers in polling
mode instead of interrupt mode would make this even matter less, which
would make quite some sense in the ASA's case.
// nick
------------------------------
Message: 5
Date: Wed, 9 May 2007 15:20:58 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Pix 515E - Memory Upgrade
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <006e01c7926f$2cf33530$f902fea9@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"
> I'm hoping there's an easier way than opening up the PIX to determine if
both memory slots are used. I
> need to upgrade to 128M. It currently has 64M. Does anyone know if there
is a command that will show
> how many MB each slot contains or something similar? Current version is
6.3(5), UR with Failover
No command to run, but it's easy enough to figure out. UR or UR-FO chassis'
ship with 1 64MB DIMM and can be upgraded to 128MB with a 2nd DIMM. The
restricted (R-BUN) chassis ships with 1 32MB DIMM and can be upgraded to
64MB with a 2nd DIMM. You should be fine to upgrade.
PaulM
------------------------------
Message: 6
Date: Wed, 09 May 2007 14:21:00 -0500
From: vbwilliams@neb.rr.com
Subject: Re: [fw-wiz] Pix 515E - Memory Upgrade
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <c579a5a512884.12884c579a5a5@rdc-kc.rr.com>
Content-Type: text/plain; charset=us-ascii
By default both memory slots are used. When you order the upgrade,
you'll always get two 64 meg pieces. It's one of those old 486 or
celeron boards where you only had 2 memory slots, and the memory had to
be installed in pairs, and the memory had to be identical. So, if
you've got 64 right now, automatically means you have 32 * 2.
----- Original Message -----
From: J Alexander <jlalexander@gmail.com>
Date: Wednesday, May 9, 2007 12:51 pm
Subject: [fw-wiz] Pix 515E - Memory Upgrade
To: firewall-wizards@listserv.cybertrust.com
> I'm hoping there's an easier way than opening up the PIX to
> determine if
> both memory slots are used. I need to upgrade to 128M. It
> currently has
> 64M. Does anyone know if there is a command that will show how
> many MB each
> slot contains or something similar? Current version is 6.3(5), UR
> withFailover
>
> TIA!
> J
>
------------------------------
Message: 7
Date: Wed, 9 May 2007 11:24:44 -0700
From: Chuck Swiger <chuck@codefab.com>
Subject: Re: [fw-wiz] Cisco ASA and FWSM
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <E573228D-759F-4A06-9966-3BCB8EFE920A@codefab.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
On May 4, 2007, at 6:42 AM, <nick.nauwelaerts@thomson.com> wrote:
>> Timo Schoeler wrote:
>> yeah, and for the ASA-5520 (e.g.) they share one single interrupt.
>> worst hardware design ever.
>
> Why would that be? Sharing interrupts will result in less context
> switches. Different interrupts will result in a context switch for
> each
> interrupt, while shared interrupts can handle multiple interrupts
> can be
> handled in the same context switch.
There's going to be a context switch for each interrupt, regardless
of whether they are shared or not. It's typically the case that you
disable receiving new interrupts while running the interrupt service
routine (ISR), which means that you aren't going to get or handle
multiple interrupts in a single context switch.
Some of the better designed systems use fine-grained mutex locking
for each instance of a device driver and/or have a "fast interrupt
handler" which returns as quickly as it can to minimize interrupt
service latency, but depends on having a separate kernel thread to
perform the bulk of the work which needed to be done and would
normally have to be done within a traditionally designed interrupt
handler before it would be allowed to return.
Whenever you have a shared interrupt, all of the associated ISRs need
to run until one of them recognizes that the interrupt came from the
associated device, which causes more work and adds latency to the
ISR. And even if you have devices which have a well-written ISR
which is SMP-safe and does the necessary fine-grained locking, if
another device sharing that interrupt is not SMP-safe, then the
system will still have to obtain "Giant"/"the big kernel lock"/etc
for that ISR to run, which causes significant slowdowns.
In existing SMP x86 hardware, you'll commonly see that when you have
something like a USB port sharing an IRQ line with a NIC, the result
will be significantly reduced network performance.
> And running their drivers in polling mode instead of interrupt mode
> would make this even matter less, which
> would make quite some sense in the ASA's case.
polling has some significant advantages in that it it tries to work
on a "process to completion" model and was designed to service
multiple outstanding requests during a single context switch, but you
end up running the polling service routine very often-- typically
some significant fraction, like 50%, of scheduler ticks-- and you'll
generally want to be using a scheduler quantum of around 1ms or so,
which means you're doing perhaps 500 polling ISRs per second
regardless of load.
If the device was seeing more than 500 interrupts/sec, then polling
would typically improve efficiency, but if it was mostly idle, it's
still going to be using a lot of CPU if polling is being used. Newer
NICs have much bigger packet buffers and can use interrupt mitigation
techinques to delay firing the IRQ line so that they might accumulate
several packets before the ISR activates, and thus they gain some of
the advantages of polling without also gaining the disadvantage of
keeping the CPU busy even when the device is mostly idle.
--
-Chuck
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 13, Issue 4
***********************************************
No comments:
Post a Comment