firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: IPv6 support in firewalls (ArkanoiD)
2. Re: Check Point NG FP3 HF2 on Solaris 5.8 (Behm, Jeffrey L.)
3. Re: CSA Question (bobw@avantsystems.com)
4. Re: New to Cisco PIX/ ASA (Jason)
5. Re: CSA Question (Marcus Gavel (mgavel))
----------------------------------------------------------------------
Message: 1
Date: Wed, 22 Aug 2007 02:01:11 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070821220111.GA2364@eltex.net>
Content-Type: text/plain; charset=us-ascii
Well, i guess there are some legacy A and B networks owned but not really
routable reserved by big guys like Pentagon or Citibank ;-)
No, it is not real address shortage that will push us into ipv6,
it's just Vista crowd.
On Wed, Aug 15, 2007 at 01:39:04PM -0400, Dave Piscitello wrote:
> I suppose I should begin by answering "why the interest in IPv6?"
> question. Simply put, we are running out of IPv4 addresses (yeah, I
> know, the Sky is Falling, NAT will save us forever...). Based on current
> consumption rates, some folks speculate that the remaining addresses
> not yet distributed by IANA will be exhausted by 2009.
------------------------------
Message: 2
Date: Tue, 21 Aug 2007 17:07:24 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] Check Point NG FP3 HF2 on Solaris 5.8
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D196372B@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"
To the OP: Did you happen to (oops!) put in a rule that stops the
management server from talking to the managed firewall? (or accidentally
take out one that allows it?)
________________________________
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of
Robert D. Hughes
Sent: Thursday, August 02, 2007 2:22 AM
To: Firewall Wizards Security Mailing List; Firewall Wizards
Security Mailing List
Subject: Re: [fw-wiz] Check Point NG FP3 HF2 on Solaris 5.8
Disclaimer: sorry for the top post, I'm stuck in OWA right
now...
FWD won't help with the policy install. In NG, FWM on the
manager talks to CPD on the firewall. FWD was only used pre-NG for
policy installs. Debug those two process to find out what's happening.
You might also try:
fw fetch <manager>
and see if that tells you anything useful.
Regards,
Rob
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com on behalf
of Robby Cauwerts
Sent: Wed 8/1/2007 6:00 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Check Point NG FP3 HF2 on Solaris 5.8
On 7/20/07, Robert Fenech <robertfenech@gmail.com> wrote:
>
> Hi,
>
> I am encountering a problem when it comes to install a policy
on an NG FP3
> HF2 firewall running on an old Solaris 5.8 machine.
>
> Primarily when the policy is about to be installed I get the
message
> "Failed to install policy. Please make sure that Firewall-1
services are
> running...".
>
>
Try a cprestart or cpstop/cpstart on the fw module ( be aware of
the impact
on your traffic/remote mgmt of the fw!).
And then try to push the policy again a few times.
If this doesn't solve the problem try to debug cpd and fwd
(check CP
knowledgebase or post a reply).
Br.
Robby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070821/ffd99e0c/attachment-0001.html
------------------------------
Message: 3
Date: Wed, 22 Aug 2007 07:17:54 -0500 (CDT)
From: "bobw@avantsystems.com" <bobw@avantsystems.com>
Subject: Re: [fw-wiz] CSA Question
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <1187785097.v2.fusewebmail-228660@ffuse9>
Content-Type: text/plain;charset=iso-8859-1
CSA includes default rules that will place the machine in "lockdown" mode
if a compromise is detected; this works quite well, but a false positive
can become a real PITA.
----- Original Message -----
Subject: [fw-wiz] CSA Question
Date: Tue, August 21, 2007 9:06
From: "Carric Dooley" <carric@com2usa.com>
I have been looking thru the Cisco site and I'm wondering if anyone knows
> if you can configure the CSA to disable network interfaces, for instance
> if it's attcked, or shut down.
>
> --
> Carric Dooley
> COM2:Interactive Media USA
> http://www.com2usa.com
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 4
Date: Wed, 22 Aug 2007 08:35:40 -0400
From: Jason <jasonisnow@gmail.com>
Subject: Re: [fw-wiz] New to Cisco PIX/ ASA
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<1de866020708220535m4b8553c6l7ac86adfe9b22823@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Only minor thing I'll add for sake of clarity is the need for translation
(NAT or it's many flavors) when traversing any two interfaces on a PIX/ASA.
When typical traffic (non-VPN) from the internal interface, Eth0/0, is
destined for the external interface, Eth0/1, network address translation has
to occur. This would include the use of a nat/global command pairing:
global (outside) 1 66.166.x.x 255.255.x.x
nat (inside) 1 192.168.1.x 255.255.255.x
When traversing any two interfaces you always need two things: permission
(access-list) and translation (NAT or one of its cousins).
On 8/6/07, ArkanoiD <ark@eltex.net> wrote:
>
> Being not a PIX expert, as i see no one answers, no, you do not need
> a reverse rule if the protocol is known and does not require strange
> callbacks.
>
> If it does, it is hard to say how your configuration does look like ;-)
>
> On Wed, Aug 01, 2007 at 06:41:53PM -0400, Keith A. Glass wrote:
> >
> > I've managed Gauntlets, Checkpoints, Netscreens, and SonicWalls in
> the
> > past.
> >
> >
> > I'm a bit confused with the in and outs of the ASA firewalls.
> >
> >
> > I'm setting up at HA pair, my Eth0/0 is my interior interface, trust
> > level 100, Eth 0/1 and 0/2 are my IP and State heatbeats, and Eth 1/0
> > is my external interface, trust level 1.
> >
> >
> > Am I correct in my understanding that if I want two-way traffic,
> > traffic is not blocked to a lower trust level, so I need only write a
> > rule to pass the traffic between the endpoints from the external
> > interface to the internal interface, and the reply traffic is taken
> > care of ?? Or do I have to write a reverse rule, from the internal
> > interface to the external as well ???
> >
> > email protected and scanned by AdvascanTM - keeping email useful -
> >
www.advascan.com
>
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
-->j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070822/52fdd03c/attachment-0001.html
------------------------------
Message: 5
Date: Wed, 22 Aug 2007 12:21:50 -0400
From: "Marcus Gavel \(mgavel\)" <mgavel@cisco.com>
Subject: Re: [fw-wiz] CSA Question
To: <firewall-wizards@listserv.cybertrust.com>
Cc: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
Message-ID:
<89BDF5F4737898499165AED099FEBDC303AFE05B@xmb-rtp-20b.amer.cisco.com>
Content-Type: text/plain; charset="us-ascii"
There is no single checkbox to do what you describe.
Look at CSA as being able to observe system behavior and set a trigger
based on that.
Once the trigger is set, deny rules will be applied selectively to the
system.
Take care with this, as you can apply deny rule that are persistent.
Timing them out is tricky.
Kristian wrote an internal paper a couple years ago on how to implement
"Port Knocking" using CSA.
It has good methodology on how to implement triggers, apply alternate
rules and then time out those rules.
I'll see if I can get that posted up to the Cisco site.
In the mean time, look at User's guide for the system states of
High/Medium/Low as they apply to Rule Modules and the "Set" action
available in the majority of the rule types.
One implementation might be:
Rule Module 1 - (trigger)
- Connection Rate limit rule
- If greater than 500 connections in a minute, set system
state = high
Rule Module 2 - (enforce)
- If system state = high, apply rules in this module
- All other states and these rules are ignored.
- Rules:
- NACL (Network Access Control) deny all new TCP/UDP
server connections
- Netshield - drop all incoming ICMP traffic
On the CSAMC, configure a alert to email the admin when the last
to rules fire. This will ID the quarantined box.
Marcus Gavel
Cisco Security Agent - QA / Escalation Support
-----Original Message-----
From: Kristian Erik Hermansen [mailto:kristian.hermansen@gmail.com]
Sent: Tuesday, August 21, 2007 7:30 PM
To: firewall-wizards@listserv.cybertrust.com
Cc: Marcus Gavel (mgavel)
Subject: Re: CSA Question
On 8/21/07, Carric Dooley <carric@com2usa.com> wrote:
> I have been looking thru the Cisco site and I'm wondering if anyone
> knows if you can configure the CSA to disable network interfaces, for
> instance if it's attcked, or shut down.
I work on the Cisco Security Agent team, and I do know that there is a
"Network Lock" mode, which will disallow all new connections. I believe
we also added some new features for disabling wireless devices in a
recent release. I am unsure if there is a way to define a rule such as
"if rootkit is detected, disable all interfaces". I am cc'ing Marcus
Gavel who who should be able to get you an answer...
--
Kristian Erik Hermansen
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 6
***********************************************
29 comments:
Wow, this piece of writing is nice, my sister is analyzing
these kinds of things, thus I am going to convey her.
Stop by my weblog; https://Estudiantes.Gfc.Edu.co/PollyKraf
Howdy are using Wordpress for your blog platform? I'm new to the blog world but I'm trying to get started and create my own.
Do you need any html coding knowledge to make your own blog?
Any help would be really appreciated!
Feel free to visit my blog post; visit
You actually make it seem so easy with your presentation but
I find this matter to be really something that I think
I would never understand. It seems too complicated and very broad for me.
I'm looking forward for your next post, I'll try to get the hang of it!
Here is my web page: sex vids
You actually make it seem so easy with your presentation but I find this matter to be really something that
I think I would never understand. It seems too complicated and very
broad for me. I'm looking forward for your next post, I'll
try to get the hang of it!
My web page sex vids
My website > a porno website
Hi, i think that i noticed you visited my website so i came to go back the prefer?
.I'm attempting to find issues to enhance my website!I guess its good enough to make use of a few of your concepts!!
My web page; http://www.warwickmall.com/member/9730/
I'm amazed, I must say. Seldom do I encounter a blog that's equally educative and amusing, and let me tell you, you've hit the nail on the head. The issue is something which not enough people are speaking intelligently about. Now i'm
very happy that I came across this during my hunt for something relating
to this.
Feel free to visit my blog; click here
My page: click here
We are a group of volunteers and opening a new scheme in our community.
Your website offered us with valuable information to work on.
You have done a formidable job and our whole community will be grateful
to you.
Also visit my page ... 1
My brother suggested I would possibly like this
website. He used to be entirely right. This submit truly made my day.
You can not imagine simply how so much time I had spent for this
information! Thanks!
Also visit my webpage ... http://coedgangbangs.net/
hi!,I love your writing very much! percentage we keep up a correspondence more about your
post on AOL? I need a specialist in this house to solve my problem.
May be that's you! Taking a look forward to see you.
Feel free to surf to my homepage ... click here
This article is genuinely a fastidious one it assists new
net users, who are wishing for blogging.
Feel free to visit my page was Teen In Plaid Miniskirt Gets Double Fucked
Hurrah! In the end I got a web site from where I know how to genuinely take helpful
information regarding my study and knowledge.
Also visit my blog post - in porno website
I read this piece of writing fully regarding the comparison of most recent and preceding technologies, it's awesome article.
Also visit my web-site ... beehive yugioh
I simply couldn't depart your web site prior to suggesting that I actually enjoyed the standard information an individual supply on your guests? Is gonna be again frequently to investigate cross-check new posts
Here is my homepage ... want to chat
Hmm is anyone else encountering problems with the pictures on this blog loading?
I'm trying to determine if its a problem on my end or if it's the blog.
Any responses would be greatly appreciated.
Here is my webpage - http://hotmilf.ws/index.php?own=2502342
You are so interesting! I do not believe I've read a single thing like that before. So nice to find someone with unique thoughts on this subject. Really.. thanks for starting this up. This website is something that's
needed on the internet, someone with some originality!
Have a look at my website ... more
my webpage :: Http://Onlymachinesex.Com/Index.Php?Own=1904521
Great post.
my homepage ... see more
Greetings! Very helpful advice within this article!
It is the little changes that produce the greatest changes.
Thanks for sharing!
Also visit my website :: simply click the up coming website page
I don't even know how I finished up right here, but I thought this put up used to be good. I do not understand who you might be however certainly you are going to a well-known blogger if you are not already. Cheers!
my webpage; visit website
I have to thank you for the efforts you've put in penning this site. I really hope to check out the same high-grade content by you later on as well. In fact, your creative writing abilities has inspired me to get my own, personal website now ;)
Also visit my site - a Big Breasted Vintage Girls Showing Their Sensual Curves
It's very easy to find out any topic on web as compared to textbooks, as I found this article at this website.
Also visit my homepage ... in porn actress
Hey There. I discovered your blog the usage of msn.
That is a really well written article. I'll be sure to bookmark it and return to learn more of your helpful information. Thank you for the post. I will certainly return.
My blog post; http://www.giantoakgolfclub.com/index.php/member/11590/
If you want to increase your know-how only keep visiting this website and be updated with the latest news posted here.
Here is my web blog planet chat
These are truly wonderful ideas in on the topic of blogging.
You have touched some good things here. Any way keep up wrinting.
Also visit my blog post http://pornharvest.com/index.php?q=nubiles+rita_peach&f=a&p=s
We are a gaggle of volunteers and starting a new scheme in our community.
Your site provided us with helpful info to work on.
You have performed an impressive process and our
whole group shall be grateful to you.
my webpage :: Pornharvest.com/index.php?m=2084105
Hey I know this is off topic but I was wondering if
you knew of any widgets I could add to my blog that automatically tweet
my newest twitter updates. I've been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.
Also visit my website: click here
I think the admin of this site is actually working hard in favor of his web site, since here every data is quality based
material.
Have a look at my web page ... http://Healthyeatingatschool.ca/member/19391
It's awesome in support of me to have a website, which is good in support of my experience. thanks admin
my page - Http://Pornharvest.Com/Index.Php?Q=Nubiles+Kathleen&F=A&P=S
Someone necessarily assist to make significantly posts I might state.
This is the very first time I frequented your website page and to this
point? I amazed with the analysis you made to make this particular publish
amazing. Wonderful activity!
My weblog :: Email Console
Hi colleagues, its great piece of writing regarding cultureand entirely explained, keep it up all the time.
Have a look at my website: see more
Post a Comment