Search This Blog

Tuesday, September 18, 2007

firewall-wizards Digest, Vol 17, Issue 15

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: wireless security on notebooks (Alex Ott)
2. Re: VPN suggestions wanted (Cassell, Damon Z.)
3. Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515
already has a VPN (Jerry B. Altzman)
4. Re: VPN suggestions wanted (Aaron Smith)


----------------------------------------------------------------------

Message: 1
Date: Mon, 17 Sep 2007 21:40:39 +0200
From: Alex Ott <alexott@gmail.com>
Subject: Re: [fw-wiz] wireless security on notebooks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <m2myvl9j2f.fsf@gmail.com>
Content-Type: text/plain; charset=us-ascii

Hello all

>>>>> "A" == ArkanoiD writes:
A> On Mon, Sep 17, 2007 at 11:52:01AM -0400, Paul D. Robertson wrote:
> I don't want to fill my computer of antivirus, anti spyware, and Norton
> rubbish, I prefer a simple configuration like this. Please, if you have
> some ideas about this, share it with me, or perhaps to tell me that I'm
> missing something that makes this situation nonviable.
>>
>> All the Windows attacks of late have been in-band, if you're not
>> running AV on Windows the only way to save yourself from anything other
>> than DLL injections is to be running software restriction policies in
>> default deny mode. Without on-access AV scanning and ant-spyware
>> scanning you're likely to have a compromise.

A> Well really? Are zero-day attacks widespread enough? I assume if you do
A> windows update in time and do not watch pr0n (which increases the
A> probability to meet zero-day exploit) you are almost safe. I'd also
A> suggest not using IE.

According reports of our Anti-malware team, zero-day attacks widely used to
gain control over user's systems

--
With best wishes, Alex Ott, MBA
http://alexott.blogspot.com/

http://content-filtering.blogspot.com/


http://alexott-ru.blogspot.com/ http://content-filtering-ru.blogspot.com/
http://xtalk.msk.su/~ott/


------------------------------

Message: 2
Date: Mon, 17 Sep 2007 14:23:48 -0400
From: "Cassell, Damon Z." <dcassell@mitre.org>
Subject: Re: [fw-wiz] VPN suggestions wanted
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <0AC4B700F00DBB4C94F95727E09914141B90C5@IMCSRV7.MITRE.ORG>
Content-Type: text/plain; charset="us-ascii"

For those not inclined to deal with IOS at the CLI, Cisco has a very
good (and free) Java configuration tool for the 800 series:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html

Makes configuring these devices very easy.

Damon

-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of
Brian Loe
Sent: Monday, September 17, 2007 2:11 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] VPN suggestions wanted

I'd be interested in the redacted configs for my own learning
experience - if I may?

On 9/17/07, Josh Ward <jward@network-services.uoregon.edu> wrote:
> tandernam wrote:
> > I'm doing some work with a small company (about a dozen employees)
> > that needs to make their remote access more reliable. I'm looking
to
> > set up a (new) VPN for them (the old one is a hack job). I'm
looking
> > for suggestions on a solution, something fairly simple to set up
that
> > I can just plug between their intranet and the interweb.
Reliability
> > is key. I'm mostly looking for a hardware solutions (just because I
> > think it would be easier to set up and more reliable), but I'd be
very
> > interested to hear from anyone who is running a good small-scale
> > (please don't start talking about radius servers...) software
gateway.
> > They're currently running NAT off their soho modem/router on a DSL.
> > Suggestions and recommendations would be most appreciated.
>
> I have used Cisco 851 routers for deployments like this and they work
> *great*. I actually have something very similar to what you are
> describing at my house using an 851-wireless.
>
> The c851 is a full-blown IOS router (ok, not full blown, but all of
the
> features that you care about for a small deployment). The 851 has a
> hardware crypto processor and the "ezvpn" stuff is really simple to
set
> up and deploy. These boxes will act as a VPN concentrator (Cisco
> PC/MAC/Linux client) or as an EzVPN NEM (Network Extension Mode)
> concentrator. This means that if your client ever brings up a second
> office tying the two together is dead simple. The software support
on
> the Cisco client is pretty good as well. Its easier to set up then
the
> Juniper client and more full featured than SSL vpn clients.
>
> You can get 851's for ~$300 (plus $20/year maintenance), which makes
> them pretty affordable for someone looking for SOHO+ equipment.
>
> If you decide to go this route and you aren't Cisco savvy feel free
to
> e-mail me and I'll share some redacted configs with you to help.
>
> -Josh
>
> --
> Josh Ward <jward@network-services.uoregon.edu>
> Network Security Engineer - Network Services
> University of Oregon
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 3
Date: Sat, 15 Sep 2007 21:24:50 -0400
From: "Jerry B. Altzman" <jbaltz@altzman.com>
Subject: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the
515 already has a VPN
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46EC85E2.6050507@altzman.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Wow, 3 responses so far!
on 2007-09-12 11:56 Christopher J. Wargaski said the following:
> I have seen this when there is a routing problem. Can the 515 ping the
> outside interface of the 501?

Yes, there is 100% reachability on both sides.

on 2007-09-12 23:08 Glenn Crissman said the following:
> First guess is check your NAT 0 access lists on both sides. If you don't
> have an acl entry there matching your interesting traffic acl for the
> 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the
> traffic (or at least attempt to) before it hits the crypto engine.

I've cleared the nat 0 entries on both sides already...I'm reasonably
sure that's not it. We're not even seeing IPSec try to *start*, basically.

on 2007-09-12 16:38 Julian M. Dragut said the following:
> I've had the same issue with 515 and 2 X 505's running 6.4, and I had
> to remove the crypto map from the 515 before adding the second 505,
> and then re-apply it to the interface.
>
> It looks like the ACL and maps could get corrupted, therefore, before
> adding anything to the crypto map, I always make sure I unbind it,
> make the changes and then rebind it.

This seems like the most likely candidate. We'll have to find time to
bring down all the VPNs and try rebuilding from scratch.

//jbaltz
--
jerry b. altzman jbaltz@altzman.com

www.jbaltz.com
thank you for contributing to the heat death of the universe.


------------------------------

Message: 4
Date: Mon, 17 Sep 2007 11:25:08 -0600
From: Aaron Smith <smitha@byui.edu>
Subject: Re: [fw-wiz] VPN suggestions wanted
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <1190049908.5933.17.camel@natal.byui.edu>
Content-Type: text/plain

On Sat, 2007-09-15 at 03:22 -0400, tandernam wrote:
> I'm doing some work with a small company (about a dozen employees)
> that needs to make their remote access more reliable. I'm looking to
> set up a (new) VPN for them (the old one is a hack job). I'm looking
> for suggestions on a solution, something fairly simple to set up that
> I can just plug between their intranet and the interweb. Reliability
> is key. I'm mostly looking for a hardware solutions (just because I
> think it would be easier to set up and more reliable), but I'd be very
> interested to hear from anyone who is running a good small-scale
> (please don't start talking about radius servers...) software gateway.
> They're currently running NAT off their soho modem/router on a DSL.
> Suggestions and recommendations would be most appreciated.

I've had great luck with OpenVPN on small-scale projects.

http://openvpn.net/

@@ron Smith


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 15
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)