Search This Blog

Monday, August 27, 2007

firewall-wizards Digest, Vol 16, Issue 15

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 support in firewalls (Behm, Jeffrey L.)
2. Re: Query: Why bother with an application proxy over stateful
packet filtering? (Patrick M. Hausen)
3. Re: Query: Why bother with an application proxy over stateful
packet filtering? (william fitzgerald)
4. Re: ***SPAM*** Re: IPv6 support in firewalls (Dave Piscitello)
5. Re: Query: Why bother with an application proxy over stateful
packet filtering? (Marcin Antkiewicz)
6. Re: ***SPAM*** Re: IPv6 support in firewalls (ArkanoiD)
7. Re: IPv6 support in firewalls (ArkanoiD)
8. Re: ***SPAM*** Re: IPv6 support in firewalls (Dave Piscitello)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Aug 2007 09:40:33 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D196374A@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"

On Monday, August 27, 2007 2:31 AM, Patrick M. Hausen wrote:

Snipped out the discussion about why IPv6 should be deployed to
every device, even those "inside the firewall" and that NAT should
be killed...

>First you should not rely on NAT as a security measure, anyway,
>because it isn't.

For a security-conscious IT professional, this may be a true statement.

But, for the vast majority of end users of IT, given the choice of a
Hardware NAT device vs. nothing for security, I'll pick the hardware
NAT device every time.


------------------------------

Message: 2
Date: Mon, 27 Aug 2007 16:58:18 +0200
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] Query: Why bother with an application proxy over
stateful packet filtering?
To: wfitzgerald@tssg.org, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070827145818.GB6532@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1

Hi, Will,

> I am wondering why would the be a need to web up a proxy such as a web
> proxy (Squid) instead of just using a stateful packet filtering firewall
> (iptables) only in a network?

I suggest you start by reading these two papers for an answer:

http://www.avolio.com/papers/apgw+spf.html
http://www.securecomputing.com/webform.cfm?id=123

The latter requires one-time registration to download,
so Secure Computing can send you sp^H^Himportant security
related information.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de

http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285


------------------------------

Message: 3
Date: Mon, 27 Aug 2007 16:36:00 +0100
From: william fitzgerald <wfitzgerald@tssg.org>
Subject: Re: [fw-wiz] Query: Why bother with an application proxy over
stateful packet filtering?
To: Andy Cunningham <andyc@cunningham.me.uk>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46D2EF60.8080501@tssg.org>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Andy.

You've given me food for thought.

First point:

While agree with you view of controlling telnet or in appropriate
protocols across a firewall as compared with using a more fine grained
web proxy, i can still by pass the proxy via "httptunnel" for example.

So both proxy and firewall can be equally subverted internally via out
bound traffic to a rogue service listening on a http port.

Second Point:
also iptables could use its "string matching" to filter in appropriate
sites that match content keywords or even based on a black-hole list.

I guess I am still struggling to see any real benefits as of right now
apart from the obvious web caching abilities but thats not what this
discussion is about.

I will dig deeper, starting with Patrick Hausen's reading list (previous
post reply) first and move from there.

regards,
Will.

PS: i drive a Mazda B2500 4X4. I too am interested in 4x4's also and I
plan on getting an old cheap jeep to enjoy some off-roading as a hobby.


Andy Cunningham wrote:
> william fitzgerald nearly made me spill my Shiraz on 08/27/2007 03:05 PM
> by writing:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Dear Experts,
>>
>> I am interested in knowing ore about network access control via various
>> kinds of firewalls.
>>
>> I am wondering why would the be a need to web up a proxy such as a web
>> proxy (Squid) instead of just using a stateful packet filtering firewall
>> (iptables) only in a network?
>>
> The two usual reasons are protocol enforcement and content filtering.
>
> A stateful packet inspection firewall will allow anything you like once
> the initial TCP handshake has been approved, so there's nothing stopping
> me setting up a telnet server on port 80 and connecting to that from
> inside the office. If the only thing allowed to communicate to the
> firewall is the proxy server, you know you're only ever doing http.
>
> There are a number of plugins for proxy servers that mean you can filter
> inappropriate sites and otherwise control access in ways a pure firewall
> can't. Some of this functionality is available in some newer firewalls
> systems if you want a single device.
>
> Hope that helps.
>
> Andy
>

- --
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG0u9fIcwlebz1MmwRAnwcAKDV1HGEStrEAoByig3iHKDx3xqLtACgycxc
XHQbBu8SUU0uGyNdODoCvQI=
=KRqS
-----END PGP SIGNATURE-----


------------------------------

Message: 4
Date: Mon, 27 Aug 2007 13:24:54 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: "Patrick M. Hausen" <hausen@punkt.de>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <46D308E6.4030903@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

Patrick M. Hausen wrote:

> First you should not rely on NAT as a security measure, anyway,
> because it isn't.

I advocate using every measure possible to provide security. IP
masquerading helps thwart information gathering. I would never suggest
using NAT as the only security measure. By IP masquerading, I avoid
having a RIR identify the address blocks I use internally, as they would
if I were to use public space. Explain why you feel this is wrong?


> Third, this is the _only_ way to get rid of the "net 10 considered
> harmful" nightmare

It's only a nightmare for people who do not exercise discipline in
assigning addresses. I could just as easily err with public addresses
and assign the same block of addresses to multiple sites. The fact that
an RIR allocates you a block of IPv6 addresses does not guarantee you
will not botch assignment within your networks.

Even Forrest Gump knows, "stupid is as stupid does".


> IMHO theses are the combined reasons to start over and
> kill NAT forever.

Won't happen in my lifetime, nor my childrens' lifetime.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070827/01fa9f09/attachment.vcf


------------------------------

Message: 5
Date: Mon, 27 Aug 2007 11:20:11 -0500 (CDT)
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] Query: Why bother with an application proxy over
stateful packet filtering?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.64.0708271101210.32468@runt.uhhh.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

> I am wondering why would the be a need to web up a proxy such as a web
> proxy (Squid) instead of just using a stateful packet filtering firewall
> (iptables) only in a network?

Will,

Do not think that just because something is a good packet filter, it
will also make a good proxy, or IDS. Just because you know how to start
a fire using a screwdriver it is not a good idea to keep doing so,
especially when you have matches at hand.

Packet filtering and (security) proxies are different technologies - I use
both of them because, when used correctly, they address different needs.

For more insight please read:
http://www.ranum.com/security/computer_security/editorials/deepinspect/index.html

--
Marcin Antkiewicz


------------------------------

Message: 6
Date: Mon, 27 Aug 2007 22:51:14 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: "Patrick M. Hausen" <hausen@punkt.de>, dave@corecom.com
Message-ID: <20070827185114.GA2933@eltex.net>
Content-Type: text/plain; charset=us-ascii

I think the real reason behind that is not to have those machines in
"routable space" but just to avoid collisions when you merge big networks
(ever seen megring two companies both using 10/8? it's just a nightmare ;-)

On Mon, Aug 27, 2007 at 09:30:45AM +0200, Patrick M. Hausen wrote:
>
> Yes, I think "official" registered address space for every single
> node, PC, mobile phone, fridge, coffee machine, ... _is_ the
> ultimate goal and one of the major reasons to deploy IPv6.

------------------------------

Message: 7
Date: Mon, 27 Aug 2007 22:53:20 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070827185320.GB2933@eltex.net>
Content-Type: text/plain; charset=us-ascii

Well, stateful filter set up for outbound connections only is
exactly equivalent to NAT device. It is even better because
there are no moronic "UPNP" things that could be accidentally left
turned on..

On Mon, Aug 27, 2007 at 09:40:33AM -0500, Behm, Jeffrey L. wrote:
> On Monday, August 27, 2007 2:31 AM, Patrick M. Hausen wrote:
>
> Snipped out the discussion about why IPv6 should be deployed to
> every device, even those "inside the firewall" and that NAT should
> be killed...
>
> >First you should not rely on NAT as a security measure, anyway,
> >because it isn't.
>
> For a security-conscious IT professional, this may be a true statement.
>
> But, for the vast majority of end users of IT, given the choice of a
> Hardware NAT device vs. nothing for security, I'll pick the hardware
> NAT device every time.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com

>
>

------------------------------

Message: 8
Date: Mon, 27 Aug 2007 15:23:27 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: ArkanoiD <ark@eltex.net>
Cc: "Patrick M. Hausen" <hausen@punkt.de>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.cybertrust.com>
Message-ID: <46D324AF.60504@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

Agree that adds/drops/changes (mergers, acquisitions, divestitures)
cause huge headaches. Are F1000 companies willing to swap this headache
for the headache associated with introducing a new NL protocol and
security product set?

ArkanoiD wrote:
> I think the real reason behind that is not to have those machines in
> "routable space" but just to avoid collisions when you merge big networks
> (ever seen megring two companies both using 10/8? it's just a nightmare ;-)
>
> On Mon, Aug 27, 2007 at 09:30:45AM +0200, Patrick M. Hausen wrote:
>> Yes, I think "official" registered address space for every single
>> node, PC, mobile phone, fridge, coffee machine, ... _is_ the
>> ultimate goal and one of the major reasons to deploy IPv6.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070827/1c7a7331/attachment.bin


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 15
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)