firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: IPS Content filtering techniques (ArkanoiD)
2. Re: IPv6 support in firewalls (Darren Reed)
3. Re: IPv6 support in firewalls (Dave Piscitello)
4. Re: IPv6 support in firewalls (Mohit Sharma)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Aug 2007 02:47:06 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] IPS Content filtering techniques
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: Panahi Behzad U/IT-S <behzad.panahi@scb.se>
Message-ID: <20070822224705.GA29747@eltex.net>
Content-Type: text/plain; charset=us-ascii
Well, what's the purpose of getting those null data through?
Why do you need it?
On Wed, Aug 15, 2007 at 03:35:24PM +0200, Skough Axel U/IT-S wrote:
>
> Does really nobody know anything about a Web proxy product filtering on MIME Content-Type setting and capable to omit this check when the MIME Content-Length setting in force appears to be zero? The RFC 2616 states that the Content-Type header statement can be omitted in this situation and, indeed, it has no meaning as the data section is declared to be of length zero.
>
> Otherwise the data section should of course be in general be assumed to be of type "application/octet-stream" but when no data section is present it is obviously no problem in bypassing the Content-Type check! Thus, there are no data to prevent entering for in this situation, but the packet in force may have othre meanings such as redirect etc.
>
> I would appreciate any comments in this matter!
------------------------------
Message: 2
Date: Wed, 22 Aug 2007 21:56:57 -0700
From: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: David Lang <david.lang@digitalinsight.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>, dave@corecom.com, Firewall
Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <46CD1399.6030100@reed.wattle.id.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
David Lang wrote:
> On Wed, 22 Aug 2007, Darren Reed wrote:
>
>> Marcus J. Ranum wrote:
>>> Dave Piscitello wrote:
>>>> I suppose I should begin by answering "why the interest in IPv6?"
>>>> question. Simply put, we are running out of IPv4 addresses (yeah, I
>>>> know, the Sky is Falling, NAT will save us forever...). Based on
>>>> current
>>>> consumption rates, some folks speculate that the remaining addresses
>>>> not yet distributed by IANA will be exhausted by 2009.
>>>
>>> This prediction was made before, if I recall correctly. In 1994. Except
>>> that we were going to run out, uh, in 1999. Yes, the sky is
>>> falling, but
>>> it appears to be falling fairly slowly and gently. :)
>>>
>>> Perhaps something better than IPv6 will still come along. You know,
>>> like what a few of us suggested back in 1992 - namely doubling
>>> the address size, left-filling with zeroes, and bumping the
>>> version number? ;)
>> ..
>>
>> It's not just this, people today want to deploy/build large scale IP
>> networks where 10/8 isn't enough, not to mention giving those
>> addresses visibility to the Internet.
>
> who has 4B machines?, or assume that you gave each machine a /30
> subnet, who has 1B machines?
I said 10/8, not 0/32.
10/8 is only 16M addresses.
How many mobile phones are there connected to (say) AT&T's phone network?
More than 16M. If AT&T wanted to be able to address each phone individually
on their internal network at any given point in time?
And then what about say one of the Chinese carriers with another 30M phones?
How do you fit those into an already crowded Internet address space with
only
32 bits of addressing available to you?
> the claim that 10/8 isn't big enough is makeing large assumptions
> about how you allocate the addresses.
Yes and no. If you think about it, 16,000,000 isn't really a lot.
At 4B, that's barely enough for 1 per person for some value of "yesterday".
If you said everyone on the planet was entitled to a /24, then you need over
40 bits in the address space, and that's just flat allocation.
> as for makeing those machines visable on the Internet, I'd ask why
> they need to be directly visable. something on this scale is probably
> not _really_ needing everyone else on the Internet to connect on
> arbatrary ports, and once you start defining what traffic you need you
> can define ways to get to them with that traffic without needing to
> have the machines directly visable (also contrary to what the IPV6
> pushers say)
Even if they don't need to be directly visible on the Internet,
they may need to be (or it is desirable for it to be possible)
visible inside some other network.
People design networks according to various needs.
As corporations grow and the world connected to the network
grows, so to will the demands placed on IPv4 addresses.
While there will always be refusniks that want to believe that
IPv4 can't d it, the reality is it is closing close to the end of
its useful life in terms of address space. Having to put everything
behind NATs sucks for end host visibility.
Move with the time, accept that IPv6 will become reality,
shout and scream a little if that helps. But we are getting to
a point where the amount of engineering required to keep
IPv4 going is becoming more than its worth so accepting
that, however much it hurts, is probably worth your while.
Darren
------------------------------
Message: 3
Date: Wed, 22 Aug 2007 19:29:20 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46CCC6D0.3040906@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
There are several firewall products that support IPv6 today. My initial
findings from this survey suggest that the carrier/large enterprise
class products are closer to fully featured and the SOHO/SMB products
are less so. So you can put up a perimeter, for what that's worth.
I'm told that Asia and Europe are "ahead" in deployment of IPv6, and
that Asian and European sites {sometimes, often, ...} encapsulate IPV6
in IPv4 and use IPsec tunnels for site to site. This also allows
enterprises to use IPv4 security policy enforcement and to assign
dwindling IPv4 addresses to public-facing servers. It's also possible to
tunnel IPV4 in IPv6 (IPsecv6). I don't think this is a "conversion" as
much as a conservancy effort thus far. If you don't have coal, you burn
wood.
I believe that the number of servers that are IPv6 addressible and
reachable is large relative to IPv5 reachable servers. You can look at
name servers in most TLD zone files and find a handful that are assigned
AAAA RRs.
I think we're fleshing out many issues about IPv6 deployment. Dual stack
is expensive. If backbone routers are struggling with IPv4 tables, I
can't imagine that adding IPV6 makes things easier for them, but I could
be wrong.
Shahin Ansari wrote:
> Greetings-
> Let me start by saying it is honor to be able to view your
> postings. I have read Marcus book on security, and it has been an
> immense help. Now to my point:
> - How is it that ( I have heard ) Asia PAC counties like China have
> converted to IPv6 already? Given all the security issues you mention ...
>
> - Some purpose having every device support both stack, what are some of
> the issues you can run into with this? CPU ?
>
> Regards-
> Sean
>
> */"Marcus J. Ranum" <mjr@ranum.com>/* wrote:
>
> Dave Piscitello wrote:
> >I suppose I should begin by answering "why the interest in IPv6?"
> >question. Simply put, we are running out of IPv4 addresses (yeah, I
> >know, the Sky is Falling, NAT will save us forever...). Based on
> current
> > consumption rates, some folks speculate that the remaining addresses
> >not yet distributed by IANA will be exhausted by 2009.
>
> This prediction was made before, if I recall correctly. In 1994. Except
> that we were going to run out, uh, in 1999. Yes, the sky is falling, but
> it appears to be falling fairly slowly and gently. :)
>
> Perhaps something better than IPv6 will still come along. You know,
> like what a few of us suggested back in 1992 - namely doubling
> the address size, left-filling with zeroes, and bumping the
> version number? ;) Of course everyone screamed that that would
> never work because the backbone routers would need gigabytes
> of memory and nobody could do something crazy like that. Or
> invent CIDR routing or spanning trees or any of the other network
> tricks that have come up since 1992 that would have made the
> idea workable, practical, and in place and functioning by now...
>
> But, to your real point:
> > I'm not convinced we can even meet the
> >modest (that's as polite as I can be) security baseline we achieve
> with
> >IPv4 security products with available IPv6 security products. What
> >little I've learned in the short time I've spent asking security
> >companies about IPv6 support isn't encouraging.
>
> It shouldn't be. Let's see - it took HOW long to even sort out the
> most obvious DOS vectors in V4, which was a vastly simpler
> protocol. The recent rumblings about problems in V6 indicate
> that finding flaws in V6 will be a lot like hunting Passenger
> Pigeons was in the 1700's: point your shotgun at the sky and
> pull the trigger and several will fall at your feet.
>
> It's a hell of a price to pay for bigger address spaces and
> the ego-boost of the IETFniks who get to say they worked on
> the next big protocol, huh?
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> ------------------------------------------------------------------------
> Pinpoint customers
> <http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/arp/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>who
> are looking for what you sell.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070822/7c2a8267/attachment-0001.bin
------------------------------
Message: 4
Date: Thu, 23 Aug 2007 11:13:28 -0400
From: "Mohit Sharma" <i.m.cupids.arrow@gmail.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<4800e50c0708230813l2c04335ei14c72b9fea656904@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
It seems like an interesting topic to put my first ever post to this mailing
list, while i beleive that all firewall/IDS/IPS have prepared themselves to
combat against the IPv6 flaws, i am not surprised that china has converted
without any problems(or may be nobody has claimed yet) coz the rest of
world(mostly i mean) still reamins on IPv4 and we've yet to see the future
of IPv6.
While IPv6 autoconfiguration brings new heights of IP addressing and DHCP
functionality, it beings some serious security considerations.
The movement from IPv4 to IPv6 would not be seamless, and moving to IPv6
would not mean that IPv4 would not exist at all(i assume), the developers
have given a choice to tunnel the IPv6 in IPv4 which still remains a concen
and furure would unfold the upcoming flaws, while i hope the best for IPv6
due to the kinda investment developers has put into it, it is the destiny of
every computer network to be exploited by the world they belong to.
--
Regards;
Sucked up Soul aka MAX
On 8/22/07, Shahin Ansari <zohal52@yahoo.com> wrote:
>
> Greetings-
> Let me start by saying it is honor to be able to view your postings.
> I have read Marcus book on security, and it has been an immense help. Now
> to my point:
> - How is it that ( I have heard ) Asia PAC counties like China have
> converted to IPv6 already? Given all the security issues you mention ...
>
> - Some purpose having every device support both stack, what are some of
> the issues you can run into with this? CPU ?
>
> Regards-
> Sean
>
> *"Marcus J. Ranum" <mjr@ranum.com>* wrote:
>
> Dave Piscitello wrote:
> >I suppose I should begin by answering "why the interest in IPv6?"
> >question. Simply put, we are running out of IPv4 addresses (yeah, I
> >know, the Sky is Falling, NAT will save us forever...). Based on current
> > consumption rates, some folks speculate that the remaining addresses
> >not yet distributed by IANA will be exhausted by 2009.
>
> This prediction was made before, if I recall correctly. In 1994. Except
> that we were going to run out, uh, in 1999. Yes, the sky is falling, but
> it appears to be falling fairly slowly and gently. :)
>
> Perhaps something better than IPv6 will still come along. You know,
> like what a few of us suggested back in 1992 - namely doubling
> the address size, left-filling with zeroes, and bumping the
> version number? ;) Of course everyone screamed that that would
> never work because the backbone routers would need gigabytes
> of memory and nobody could do something crazy like that. Or
> invent CIDR routing or spanning trees or any of the other network
> tricks that have come up since 1992 that would have made the
> idea workable, practical, and in place and functioning by now...
>
> But, to your real point:
> > I'm not convinced we can even meet the
> >modest (that's as polite as I can be) security baseline we achieve with
> >IPv4 security products with available IPv6 security products. What
> >little I've learned in the short time I've spent asking security
> >companies about IPv6 support isn't encouraging.
>
> It shouldn't be. Let's see - it took HOW long to even sort out the
> most obvious DOS vectors in V4, which was a vastly simpler
> protocol. The recent rumblings about problems in V6 indicate
> that finding flaws in V6 will be a lot like hunting Passenger
> Pigeons was in the 1700's: point your shotgun at the sky and
> pull the trigger and several will fall at your feet.
>
> It's a hell of a price to pay for bigger address spaces and
> the ego-boost of the IETFniks who get to say they worked on
> the next big protocol, huh?
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> ------------------------------
> Pinpoint customers
> <http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/arp/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>who
> are looking for what you sell.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070823/11175936/attachment.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 9
***********************************************
No comments:
Post a Comment