Security World: firewall-wizards Digest, Vol 17, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Isolating internal servers behind firewalls (Bill Stout)
2. Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515
already has a VPN (Glenn Crissman)
3. Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515
already has a VPN (Julian M. Dragut)
4. Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515
already has a VPN (Christopher J. Wargaski)

----------------------------------------------------------------------

Message: 1
Date: Wed, 12 Sep 2007 14:27:48 -0700 (PDT)
From: Bill Stout <billbrietstout@yahoo.com>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <756714.54295.qm@web31801.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii

> ----- Original Message ----
> From: Dan Lynch <DLynch@placer.ca.gov>
> To: firewall-wizards@listserv.icsalabs.com
> Sent: Monday, May 7, 2007 12:35:25 PM

Wow your system date is way off...

> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
> What threats are we protected from?

Your Law Enforcement side of the network may have services running on the server that you don't want your non-LE people accessing, such as MS-SQL, IIS/Sharepoint, FTP, RDP, etc.

Although your share may not necessarily benefit, you could protect the other services, and against things like 135/RPC or 1433/SQL worms if they reappear. A firewall would reduce the number of entry points or at least trim your threat modeling threat tree. Granted there are ways to attack a system via NetBIOS/SMB, the guys working for the county may not possess the skills necessary to exploit 137-139/445 or know what to do next. There probably not a lot of CISSP qualified individuals up in them hills in the first place, which makes you a rarity.

> The firewall/security group argues that servers and clients should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures

A firewall would also provide you with event logs and timestamps for what IP tried to access what service. When access alerts pop-up, immediately asking a inquisitive user "what are you doing?" if effective at reducing future access attempts. You have the benefit of asking a uniform to walk with you for effect.

> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.
>
> On the other hand, the server team counters that
>
> - troubleshooting problems becomes more difficult
> - firewall restrictions on which workstations can perform administration
> makes general maintenance inconvenient, esp. in an emergency

Not necessarily, permit rules can allow free access from a sysadmin IP range or specific IPs.

> - the threats we're countering are exceedingly rare

Because technical enforcement of policy is becoming more effective. If we become complacent, the trend will reverse.

> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls

More likely tripping over a cable an on/off switch error, but yes, a firewall failure should shut off access.

I believe you're a Nokia/Checkpoint environment, so you might want to check into their stateful filters for NetBIOS. Since NetBIOS is noisy, logging NetBIOS access may not be feasible, though you could still log other service access.

Bill Stout

------------------------------

Message: 2
Date: Wed, 12 Sep 2007 23:08:24 -0400
From: "Glenn Crissman" <gwcrissman@gmail.com>
Subject: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the
515 already has a VPN
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40fb38410709122008i5789a234i3d2065074abfcd07@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

First guess is check your NAT 0 access lists on both sides. If you don't
have an acl entry there matching your interesting traffic acl for the 515 /
501 L2L VPN it won't attempt to come up. The PIX will NAT the traffic (or at
least attempt to) before it hits the crypto engine.

On v6 do 'sh nat', on v7+ do 'sh run nat'. You're looking for the 'nat
(interface) 0 access-list ...' statement(s).

You might have already checked this but its a first guess.

On 9/12/07, Jerry B. Altzman <jbaltz@altzman.com> wrote:
>
> Hi,
>
> I wonder if any of you have encountered this problem before with
> PIX<->PIX VPNs.
>
> A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
> and FG already have an IPSec lan-to-lan VPN between them that works fine.
>
> We'd like to set up a mesh of L2L VPNs, but first steps first: we need
> to connect the 515 to the new 501.
>
> I've gone through the configurations, followed the directions from
> cisco's website, cleared everything out and done everything *but*
> restarted the 515 (which is in production and might cause some
> consternation if it were rebooted willy-nilly)
>
> I've watched the logging output, and it doesn't seem that the 501/515
> pair even attempt to do the phase 1 IPSec negotiations. It's just that
> NOTHING happens at all.
>
> Has anyone seen this? Any received wisdom on this? My search-engine-fu
> must be weak, I've not managed to tease out a solution to this from the
> all-seeing GoogleEye.
>
> Thanks!
>
> //jbaltz
> --
> jerry b. altzman jbaltz@altzman.com

www.jbaltz.com
> thank you for contributing to the heat death of the universe.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070912/7464e5b6/attachment-0001.html

------------------------------

Message: 3
Date: Wed, 12 Sep 2007 16:38:41 -0400
From: "Julian M. Dragut" <julianmd@gmail.com>
Subject: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the
515 already has a VPN
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8118617d0709121338v753808b1u33215383533297cd@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I've had the same issue with 515 and 2 X 505's running 6.4, and I had
to remove the crypto map from the 515 before adding the second 505,
and then re-apply it to the interface.

It looks like the ACL and maps could get corrupted, therefore, before
adding anything to the crypto map, I always make sure I unbind it,
make the changes and then rebind it.

On 9/12/07, Jerry B. Altzman <jbaltz@altzman.com> wrote:
> Hi,
>
> I wonder if any of you have encountered this problem before with
> PIX<->PIX VPNs.
>
> A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
> and FG already have an IPSec lan-to-lan VPN between them that works fine.
>
> We'd like to set up a mesh of L2L VPNs, but first steps first: we need
> to connect the 515 to the new 501.
>
> I've gone through the configurations, followed the directions from
> cisco's website, cleared everything out and done everything *but*
> restarted the 515 (which is in production and might cause some
> consternation if it were rebooted willy-nilly)
>
> I've watched the logging output, and it doesn't seem that the 501/515
> pair even attempt to do the phase 1 IPSec negotiations. It's just that
> NOTHING happens at all.
>
> Has anyone seen this? Any received wisdom on this? My search-engine-fu
> must be weak, I've not managed to tease out a solution to this from the
> all-seeing GoogleEye.
>
> Thanks!
>
> //jbaltz
> --
> jerry b. altzman jbaltz@altzman.com

--
Best regards,

Julian Dragut
If you knew that you wouldn't fall, how far would you have gone?

------------------------------

Message: 4
Date: Wed, 12 Sep 2007 10:56:03 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the
515 already has a VPN
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<17065120709120856w68866822yd1f817951130fcb0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I have seen this when there is a routing problem. Can the 515 ping the
outside interface of the 501?

www.jbaltz.com
> thank you for contributing to the heat death of the universe.

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest, Vol 17, Issue 12
************************************************

Security World

Search This Blog

Thursday, September 13, 2007

firewall-wizards Digest, Vol 17, Issue 12

No comments: