Search This Blog

Wednesday, June 27, 2007

firewall-wizards Digest, Vol 14, Issue 14

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. IPS Content filtering techniques (Skough Axel U/IT-S)
2. Re: Getting OSPF to work on a CISCO ASA 5550 (Farrukh Haroon)
3. Firewall scaling (Sami Ghourabi)
4. Re: Getting OSPF to work on a CISCO ASA 5550 (Keith A. Glass)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 Jun 2007 11:31:03 +0200
From: "Skough Axel U/IT-S" <axel.skough@scb.se>
Subject: [fw-wiz] IPS Content filtering techniques
To: <firewall-wizards@listserv.icsalabs.com>
Cc: Panahi Behzad U/IT-S <behzad.panahi@scb.se>
Message-ID: <7D5607434F895540B2A717820399633D3FDCD7@exs13.scb.intra>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

We use since a long time ago IPS technique in filtering inbound traffic and do it by content inspection. However, we have noticed increasing rejections of certain traffic due to dirty reply packet content and will consider ways to issue automated notifications to certain actors on the Internet about weakness in their presence.

The "dirty" traffic is generated by sites issuing HTTP redirect commands (HTTP code 302). However, content filtering these packets do not work well in certail cases due to improperly formatted HTTP packets. A possibility to define a rule set would be:

a) accept packets with missing Content-Type and Content-Length: 0 (conforms with RFC 2616 chapt 7.2.1). Not all IPS systems are capable to handle such packets as desired, but Content-Type doesn't need to be investigated in this case. We are trying to create rules for this situation in Microsoft ISA server.

b) automatically notify in some way the originating site about malformatted HTTP packets in the situation when Content-Type is missing and the Content-Length is a positive number. Does such a implementation exists for the Microsoft ISA server and how should the notification recipient be identified automatically?

c) Also, unknown/private Content-Type settings can be investigated and pointed out automatically to the provider for correction when they cannot be identified to be properly defined. Beside the IANA list there are also possibilities to identify relatively common "well-known" private values.

Of course we do not want the IPS to "guess" the proper settings as Web readers do by obvious security reasons although this possibility exists according to RFC 2616 (obviously a possibility intended for Web readers, not security tools).

I would appreciate any comments in this matter!

Best regards

Axel Skough
Research & Development
Information Technology
Statistics Sweden
Box 24300
SE-10451 Stockholm
S W E D E N

Visitor's address:
Karlav?gen 100, Stockholm, Sweden

E-mail: axel.skough@scb.se
Fax: +46 8 5069 4599
SMS: +46 70 577 1727

No rights may be derived from the contents of this e-mail message.

The information in this e-mail message is intended only for the addressee. Statistics Sweden cannot vouch for the correctness and completeness of the contents of e-mail messages, nor for the timely receipt thereof.


------------------------------

Message: 2
Date: Sat, 23 Jun 2007 22:45:07 +0300
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Getting OSPF to work on a CISCO ASA 5550
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0706231245k2b4ddfb8w189b482d9449a05c@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Keith are you using Transparent mode here?

If so, make sure the two interfaces you use for transparent mode are from
the built-in chassis and not from the expansion module.

Try setting p2p non-broadcast OSPF type for troubleshooting purposes
(sending unicast msgs instead of multicast)

Regards

Farrukh

On 6/22/07, Keith A. Glass <salgak@speakeasy.net> wrote:
>
> We've been trying, but have had little luck: ADSM config of 2 connecting
> OSPF routers, but when we "show ospf nei". . .nothing.
>
> Looking on the switch, OSPF appears to be down. . .
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070623/db58c1e1/attachment-0001.html


------------------------------

Message: 3
Date: Sat, 23 Jun 2007 13:40:29 +0200
From: "Sami Ghourabi" <sami.ghourabi@online-netsecurity.com>
Subject: [fw-wiz] Firewall scaling
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <001401c7b58b$4ef06f10$4dfee229@PCTEST>
Content-Type: text/plain; charset="us-ascii"

Hi List,

I'm trying to convince management that a firewall that supports 32000
concurrent sessions is enough for an organization that has a single WAN
internet link, and about 60-100 users, but I'm lacking arguments.

What do you think about that statement? Are there any rational methods
available for firewall performance scaling (concurrent sessions, new
sessions per second, throughput, etc.)

Any answer/resource appreciated.

Best Regards.

------------------------------

Message: 4
Date: Tue, 26 Jun 2007 18:17:05 -0400
From: "Keith A. Glass" <salgak@speakeasy.net>
Subject: Re: [fw-wiz] Getting OSPF to work on a CISCO ASA 5550
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <007201c7b83f$bbbb8e70$3332ab50$@net>
Content-Type: text/plain; charset="us-ascii"

This is a 5550: no expansion module to start with: two chassis quads.

We got a solution over the weekend, basically ignore everything Cisco says
in the docs, and three simple lines of code at the command line, rather than
ASDMing it. I'm not the guy who came up with the solution, but I'm
implementing it on all our ASA 5550's. . .

Will check, should be publishable, but have to make sure (classified system)

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Farrukh
Haroon
Sent: Saturday, June 23, 2007 3:45 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Getting OSPF to work on a CISCO ASA 5550

Keith are you using Transparent mode here?

If so, make sure the two interfaces you use for transparent mode are from
the built-in chassis and not from the expansion module.

Try setting p2p non-broadcast OSPF type for troubleshooting purposes
(sending unicast msgs instead of multicast)

Regards

Farrukh

On 6/22/07, Keith A. Glass <salgak@speakeasy.net> wrote:

We've been trying, but have had little luck: ADSM config of 2 connecting
OSPF routers, but when we "show ospf nei". . .nothing.

Looking on the switch, OSPF appears to be down. . .


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070626/521f1bbb/attachment-0001.html


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 14, Issue 14
************************************************

No comments: