firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. wireless security on notebooks (Andres)
2. L2TP & Split Tunnel - (Andrew Andrews)
3. VPN suggestions wanted (tandernam)
4. Re: wireless security on notebooks (Paul D. Robertson)
5. Re: wireless security on notebooks (ArkanoiD)
6. Re: VPN suggestions wanted (Josh Ward)
7. Re: wireless security on notebooks (Paul D. Robertson)
8. Re: VPN suggestions wanted (Brian Loe)
----------------------------------------------------------------------
Message: 1
Date: Sat, 15 Sep 2007 12:05:48 -0300
From: Andres <andrej100@gmail.com>
Subject: [fw-wiz] wireless security on notebooks
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<f6f93420709150805j5846e331uf891536bb436f537@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Dear people,
My question is regarding wireless security, on win xp.
I have a home network, with a wireless access point and two notebooks
(and one desktop connected via cable).
When I'm at home, I want to use the access point's firewall, and leave
all the other things unsecured, like the file sharing turned on on the
notebooks (I'm using WEP).
When my wife goes out with hers computer, I have to rely the security
on hers memory to turn on the firewall.
What I want is to install a virtual wireless network adapter, and to
use one wireless adapter with my home's wifi network and another with
the others. Then, leave the firewall always on (I use sygate) and make
it work only for the foreign networks. I didn't found such virtual
network adapters. I have the one that comes with VMWare, but it
doesn't have the "wireless networks" tab. This kind of solution is a 5
minutes work on Linux, it can be done by configuring a single text
file, but for windows, I'm getting mad.
I don't want to fill my computer of antivirus, anti spyware, and
Norton rubbish, I prefer a simple configuration like this.
Please, if you have some ideas about this, share it with me, or
perhaps to tell me that I'm missing something that makes this
situation nonviable.
Best regards,
Andres H
Argentina
------------------------------
Message: 2
Date: Thu, 13 Sep 2007 14:24:16 -0700 (PDT)
From: Andrew Andrews <incognito_54@yahoo.com>
Subject: [fw-wiz] L2TP & Split Tunnel -
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <882633.10363.qm@web60816.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Hello,
This is more of a conversation, looking for input on
some issues that have come up while trying to get L2TP
IPSEC in place.
The PIX in question (Pix 515 ver 6.3) has been running
a VPN in tunnel mode that allowed cisco VPN clients to
connect. However, a change in the network layout has
the PIX outside interface IP address change to a
private address. A Load balancer now sits infront of
the PIX. From my reading, i had to change my VPN from
tunnel to transport mode. Since the VPN call would be
made to the Load balancer interface, which would then
NAT to the Outside PIX interface. This NAT process
would break IPSEC Transport, and tunnel is what i went
with. In so far could someone please tell me if this
decision was correct? As the direction i took led me
to the next question:
L2TP Transport mode is what i have now deployed in my
test environment. Works fine. Except for Split
tunneling. L2TP does not support split tunneling. This
is what i have read so far and i could be wrong. But
so far it does not suport split tunneling. I thus have
2 questions as regards split tunneling:
What are the thoughts on split tunneling and the
dangers it poses to a network when enabled, And are
there any work arounds to allowing clients connected
to the VPN via L2TP access to the Internet?
many thanks for your time.
.a
____________________________________________________________________________________
Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV.
http://tv.yahoo.com/
------------------------------
Message: 3
Date: Sat, 15 Sep 2007 03:22:21 -0400
From: tandernam <tandernam@gmail.com>
Subject: [fw-wiz] VPN suggestions wanted
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<fffafbbb0709150022r675d8b83j315fbfab9c2b8f3f@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'm doing some work with a small company (about a dozen employees)
that needs to make their remote access more reliable. I'm looking to
set up a (new) VPN for them (the old one is a hack job). I'm looking
for suggestions on a solution, something fairly simple to set up that
I can just plug between their intranet and the interweb. Reliability
is key. I'm mostly looking for a hardware solutions (just because I
think it would be easier to set up and more reliable), but I'd be very
interested to hear from anyone who is running a good small-scale
(please don't start talking about radius servers...) software gateway.
They're currently running NAT off their soho modem/router on a DSL.
Suggestions and recommendations would be most appreciated.
Cheers,
-tander
------------------------------
Message: 4
Date: Mon, 17 Sep 2007 11:52:01 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] wireless security on notebooks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0709171148460.5950-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sat, 15 Sep 2007, Andres wrote:
> When I'm at home, I want to use the access point's firewall, and leave
> all the other things unsecured, like the file sharing turned on on the
> notebooks (I'm using WEP).
WEP is dead. If you're not using WPA, you have no security.
> I don't want to fill my computer of antivirus, anti spyware, and
> Norton rubbish, I prefer a simple configuration like this.
> Please, if you have some ideas about this, share it with me, or
> perhaps to tell me that I'm missing something that makes this
> situation nonviable.
All the Windows attacks of late have been in-band, if you're not running
AV on Windows the only way to save yourself from anything other than DLL
injections is to be running software restriction policies in default deny
mode. Without on-access AV scanning and ant-spyware scanning you're
likely to have a compromise.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://www.fluiditgroup.com/blog/pdr/
------------------------------
Message: 5
Date: Mon, 17 Sep 2007 20:48:33 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] wireless security on notebooks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070917164833.GA9178@eltex.net>
Content-Type: text/plain; charset=us-ascii
On Mon, Sep 17, 2007 at 11:52:01AM -0400, Paul D. Robertson wrote:
> > I don't want to fill my computer of antivirus, anti spyware, and
> > Norton rubbish, I prefer a simple configuration like this.
> > Please, if you have some ideas about this, share it with me, or
> > perhaps to tell me that I'm missing something that makes this
> > situation nonviable.
>
> All the Windows attacks of late have been in-band, if you're not running
> AV on Windows the only way to save yourself from anything other than DLL
> injections is to be running software restriction policies in default deny
> mode. Without on-access AV scanning and ant-spyware scanning you're
> likely to have a compromise.
Well really? Are zero-day attacks widespread enough? I assume if you
do windows update in time and do not watch pr0n (which increases the
probability to meet zero-day exploit) you are almost safe. I'd also
suggest not using IE.
------------------------------
Message: 6
Date: Mon, 17 Sep 2007 10:02:02 -0700
From: Josh Ward <jward@network-services.uoregon.edu>
Subject: Re: [fw-wiz] VPN suggestions wanted
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <46EEB30A.4030000@network-services.uoregon.edu>
Content-Type: text/plain; charset=ISO-8859-1
tandernam wrote:
> I'm doing some work with a small company (about a dozen employees)
> that needs to make their remote access more reliable. I'm looking to
> set up a (new) VPN for them (the old one is a hack job). I'm looking
> for suggestions on a solution, something fairly simple to set up that
> I can just plug between their intranet and the interweb. Reliability
> is key. I'm mostly looking for a hardware solutions (just because I
> think it would be easier to set up and more reliable), but I'd be very
> interested to hear from anyone who is running a good small-scale
> (please don't start talking about radius servers...) software gateway.
> They're currently running NAT off their soho modem/router on a DSL.
> Suggestions and recommendations would be most appreciated.
I have used Cisco 851 routers for deployments like this and they work
*great*. I actually have something very similar to what you are
describing at my house using an 851-wireless.
The c851 is a full-blown IOS router (ok, not full blown, but all of the
features that you care about for a small deployment). The 851 has a
hardware crypto processor and the "ezvpn" stuff is really simple to set
up and deploy. These boxes will act as a VPN concentrator (Cisco
PC/MAC/Linux client) or as an EzVPN NEM (Network Extension Mode)
concentrator. This means that if your client ever brings up a second
office tying the two together is dead simple. The software support on
the Cisco client is pretty good as well. Its easier to set up then the
Juniper client and more full featured than SSL vpn clients.
You can get 851's for ~$300 (plus $20/year maintenance), which makes
them pretty affordable for someone looking for SOHO+ equipment.
If you decide to go this route and you aren't Cisco savvy feel free to
e-mail me and I'll share some redacted configs with you to help.
-Josh
--
Josh Ward <jward@network-services.uoregon.edu>
Network Security Engineer - Network Services
University of Oregon
------------------------------
Message: 7
Date: Mon, 17 Sep 2007 13:44:39 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] wireless security on notebooks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0709171339400.5950-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 17 Sep 2007, ArkanoiD wrote:
> Well really? Are zero-day attacks widespread enough? I assume if you
> do windows update in time and do not watch pr0n (which increases the
> probability to meet zero-day exploit) you are almost safe. I'd also
> suggest not using IE.
You may think that's a good-enough approach, I don't happen to agree- the
rate of zero-day attacks is not great, but it happens, and frankl, if AV +
updates can't catch them all, then updates alone aren't going to. Now,
you can do a lot of IE configuration and permissioning and get pretty much
there (though I still argue that SRPs are *the* best first-line defense.)
But really, these days there aren't many AV software-generated problems,
and frankly the no-pr0n defense is lacking, these days it's Myspace,
Facebook and still the filesharing sites that are the most likely vectors.
If you're putting all your eggs in Microsoft's ability to catch and push
patches *especially* if you're not on an English-based version (the OP
appears to not be in the US) then I think you're playing odds- certianly
better odds than 10 years ago, but still odds.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://www.fluiditgroup.com/blog/pdr/
------------------------------
Message: 8
Date: Mon, 17 Sep 2007 13:10:50 -0500
From: "Brian Loe" <knobdy@gmail.com>
Subject: Re: [fw-wiz] VPN suggestions wanted
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0709171110k352fa64jc331d88c23bfb011@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'd be interested in the redacted configs for my own learning
experience - if I may?
On 9/17/07, Josh Ward <jward@network-services.uoregon.edu> wrote:
> tandernam wrote:
> > I'm doing some work with a small company (about a dozen employees)
> > that needs to make their remote access more reliable. I'm looking to
> > set up a (new) VPN for them (the old one is a hack job). I'm looking
> > for suggestions on a solution, something fairly simple to set up that
> > I can just plug between their intranet and the interweb. Reliability
> > is key. I'm mostly looking for a hardware solutions (just because I
> > think it would be easier to set up and more reliable), but I'd be very
> > interested to hear from anyone who is running a good small-scale
> > (please don't start talking about radius servers...) software gateway.
> > They're currently running NAT off their soho modem/router on a DSL.
> > Suggestions and recommendations would be most appreciated.
>
> I have used Cisco 851 routers for deployments like this and they work
> *great*. I actually have something very similar to what you are
> describing at my house using an 851-wireless.
>
> The c851 is a full-blown IOS router (ok, not full blown, but all of the
> features that you care about for a small deployment). The 851 has a
> hardware crypto processor and the "ezvpn" stuff is really simple to set
> up and deploy. These boxes will act as a VPN concentrator (Cisco
> PC/MAC/Linux client) or as an EzVPN NEM (Network Extension Mode)
> concentrator. This means that if your client ever brings up a second
> office tying the two together is dead simple. The software support on
> the Cisco client is pretty good as well. Its easier to set up then the
> Juniper client and more full featured than SSL vpn clients.
>
> You can get 851's for ~$300 (plus $20/year maintenance), which makes
> them pretty affordable for someone looking for SOHO+ equipment.
>
> If you decide to go this route and you aren't Cisco savvy feel free to
> e-mail me and I'll share some redacted configs with you to help.
>
> -Josh
>
> --
> Josh Ward <jward@network-services.uoregon.edu>
> Network Security Engineer - Network Services
> University of Oregon
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 17, Issue 14
************************************************
No comments:
Post a Comment