Search This Blog

Wednesday, August 22, 2007

firewall-wizards Digest, Vol 16, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: New to Cisco PIX/ ASA (Paul Melson)
2. Re: Check Point NG FP3 HF2 on Solaris 5.8 (Robert D. Hughes)
3. Cisco PIX 501 Help (UxBoD)


----------------------------------------------------------------------

Message: 1
Date: Thu, 2 Aug 2007 00:59:22 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] New to Cisco PIX/ ASA
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0708012159j6b19775s25a7568bef026fd2@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 8/1/07, Keith A. Glass <salgak@speakeasy.net> wrote:
> Am I correct in my understanding that if I want two-way traffic, traffic is
> not blocked to a lower trust level, so I need only write a rule to pass the
> traffic between the endpoints from the external interface to the internal
> interface, and the reply traffic is taken care of ?? Or do I have to write
> a reverse rule, from the internal interface to the external as well ???

PIX/ASA are 'stateful' firewalls meaning that if the initiating SYN
packet is allowed via explicit (or in the case of interface security
levels, implicit) policy, return traffic will be allowed by virtue of
the state table.

I am going to attempt a lousy ASCII diagram because Visio just doesn't
work for mailing lists.

Case 1: Outbound Traffic To Internet

client:1024 ---> Eth0/0(security 100)--Eth1/0(security 0) --->
external web site:80
[ no access-list is needed by default because of security levels,
however specifying one is a good idea for a number of reasons that
probably aren't worth getting into here in this brace]
external web site:80 ---> Eth1/0(security 0)--Eth0/0(security 100)
---> client:1024
[ no access-list is needed for return traffic because this connection
is in the state table. were there no table entry matching client:1024
to webserver:80, this traffic would be dropped just like a NetScreen,
Check Point, SonicWall - but maybe not Gauntlet]

Case 2: Inbound Traffic From Internet
client:1024 ---> Eth1/0(security 0)--Eth0/0(security 100) --->
internal web site:80
[ this requires an access-list and probably also a static nat and more
- read the manual]
internal web site:80 ---> Eth0/0(security 100)--Eth1/0(security 0)
---> client:1024
[ assuming the access-list is in place above, his return traffic is
also allowed because of the state table]

It's also worth mentioning that if you have Internet-facing servers
they belong in a DMZ, which adds an additional level of complexity
(but also security!) here. A good rule of thumb when dealing with
PIX/ASA is to all but ignore the interface security levels and build
explicit access-list rules for all of the traffic you want to allow
and deny. This reduces mistakes and also makes auditing
configurations and analyzing logs easier down the road. It's worth
the effort to do it right right now.


Good luck!
PaulM


------------------------------

Message: 2
Date: Thu, 2 Aug 2007 02:22:26 -0500
From: "Robert D. Hughes" <rob@robhughes.com>
Subject: Re: [fw-wiz] Check Point NG FP3 HF2 on Solaris 5.8
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<19C1FEA5E2906A469B4DA47D9F75FF9C0420FD@netsvr.robhughes.com>
Content-Type: text/plain; charset="iso-8859-1"

Disclaimer: sorry for the top post, I'm stuck in OWA right now...


FWD won't help with the policy install. In NG, FWM on the manager talks to CPD on the firewall. FWD was only used pre-NG for policy installs. Debug those two process to find out what's happening. You might also try:

fw fetch <manager>

and see if that tells you anything useful.

Regards,
Rob


-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com on behalf of Robby Cauwerts
Sent: Wed 8/1/2007 6:00 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Check Point NG FP3 HF2 on Solaris 5.8

On 7/20/07, Robert Fenech <robertfenech@gmail.com> wrote:
>
> Hi,
>
> I am encountering a problem when it comes to install a policy on an NG FP3
> HF2 firewall running on an old Solaris 5.8 machine.
>
> Primarily when the policy is about to be installed I get the message
> "Failed to install policy. Please make sure that Firewall-1 services are
> running...".
>
>

Try a cprestart or cpstop/cpstart on the fw module ( be aware of the impact
on your traffic/remote mgmt of the fw!).
And then try to push the policy again a few times.

If this doesn't solve the problem try to debug cpd and fwd (check CP
knowledgebase or post a reply).

Br.
Robby

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070802/9562c3f6/attachment-0001.html


------------------------------

Message: 3
Date: Mon, 6 Aug 2007 20:56:29 +0100 (BST)
From: UxBoD <uxbod@splatnix.net>
Subject: [fw-wiz] Cisco PIX 501 Help
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<6538839.11721186430189397.JavaMail.root@office.splatnix.net>
Content-Type: text/plain; charset=utf-8

Hi,

Have just been given a couple of 501's to setup at work. Basic configuration has been performed, and that is working fine. The question I have is whether there is anyway to setup 100+ statics, one to one, port mappings using object groups ? My IP setup is as follows :-

outside -> inside -> host
10.7.152.2 -> 10.6.0.200 -> 10.6.0.202

I have a application that uses 30 ports, plus X11, plus remove support via PCanywhere. I have created the ACLs using object groups, but I don't really fancy setting up individual TCP/UDP static entries.

If I use something like :-

static (inside,outside) interface 10.6.0.202 netmask 255.255.255.255 0 0

Then the outside interface SSH server will not work as all traffic gets mapped through too the inside interface :( Obviously we need to support via the outside interface, so is there anyway around it ?

Could I put the SSH on the inside interface and then do something like :-

static (inside,outside) interface 2222 10.6.0.202 22 netmask 255.255.255.255 0 0

so that we just have to connect too port 2222 instead and that will map it through so we can administer the PIX ?

I see on our IOS that we can use access-list on the static mapping, is this a potential use ?

Hope my explanation makes sense ?

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 5
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)